[13016] in bugtraq
Re: SSH 1 Why?
daemon@ATHENA.MIT.EDU (R. J. Wysocki)
Mon Dec 20 11:35:12 1999
Content-Type: text/plain
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-Id: <99121818113900.01107@dwarf.rjw.waw.pl>
Date: Sat, 18 Dec 1999 18:10:01 +0100
Reply-To: "R. J. Wysocki" <rafael@RJW.WAW.PL>
From: "R. J. Wysocki" <rafael@RJW.WAW.PL>
X-To: Emiliano Kargieman <core.lists.bugtraq@CORE-SDI.COM>,
Emiliano Kargieman <core.lists.bugtraq@CORE-SDI.COM>,
BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3857E031.560511EC@core-sdi.com>
On Wed, 15 Dec 1999, Emiliano Kargieman wrote:
> "Daniel P. Zepeda" wrote:
> Well, there is a problem in the way SSH protocol version 1.x (implemented in
> versions 1.x of the SSH software packages) handles integrity checking of the
> encrypted channel, that could allow an attacker to insert arbitrary commands
> to be executed on the server. This problem is inherent to the protocol and
> although there are ways to detect this attack, an upgrade of the protocol is
> recommended. See
> http://www.securityfocus.com/templates/archive.pike?list=1&date=1998-06-08&msg=199806120125.WAA05406@takeover.core.com.ar
They claim that the 1.2.25 version of ssh fixes the problem. Not true?
Is ssh-1.2.27 vulnerable?
Greets
Rafael
