Bugtraq mailing list archives
Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0
From: Eugene Medynskiy <eugenem () brainlink com>
Date: Wed, 25 Jul 2001 14:30:10 -0500
This only affects systems that use crypt() to validate passwords. If you use md5 or blowfish instead (which OpenBSD, NetBSD, and Debian Linux, among others do by default) you should not be vulnerable.
-- -- Eugene Medynskiy "You can't fight in here, this is the War Room!" Stephanie Thomas wrote:
Hi Emre, We have tested OpenBSD and NetBSD, and have foundthat they do not experience this vulnerability, even with ssh 3.0.0 installed.This is most likely due to the method used to encrypt the password in /etc/passwd or /etc/shadow.Best Regards, Steph -----Original Message----- From: Emre Yildirim [mailto:emre () vsrc uab edu] Sent: Monday, July 23, 2001 5:12 PM To: bugtraq () securityfocus com Cc: customer.service () ssh com Subject: RE: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0SSH Secure Shell 3.0.0 does not ship with any of the operating systems mentioned, nor does the announcement specify that it does. However, if a user has explicitly installed SSH Secure Shell 3.0.0 on any of the listed operating systems, they are vulnerable to this potential exploit.I don't want to drag this boring thread any longer, but in your advisory, it stated that OpenBSD and NetBSD were not vulnerable. So...if I install SSH 3.0.0 on one of those (even though the already come with openssh), ssh will not be vulnerable to this bug? Or will it? I think that part created a little confusion. Cheers
Current thread:
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0, (continued)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Seth Arnold (Jul 24)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Marcin Zurakowski (Jul 23)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Brian Carpio (Jul 23)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Stephanie Thomas (Jul 23)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Brian Carpio (Jul 23)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Jaime BENJUMEA (Jul 23)
- RE: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Jonathan A. Zdziarski (Jul 23)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Roman Drahtmueller (Jul 23)
- RE: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Stephanie Thomas (Jul 23)
- RE: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Emre Yildirim (Jul 24)
- RE: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Stephanie Thomas (Jul 25)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Eugene Medynskiy (Jul 25)
- RE: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Stephanie Thomas (Jul 23)
- RE: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Stephanie Thomas (Jul 26)