[19155] in bugtraq
Re: SSH1 vulnerability ?
daemon@ATHENA.MIT.EDU (Markus Friedl)
Mon Feb 12 17:40:40 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20010211131509.A27585@faui02.informatik.uni-erlangen.de>
Date: Sun, 11 Feb 2001 13:15:09 +0100
Reply-To: Markus Friedl <Markus.Friedl@INFORMATIK.UNI-ERLANGEN.DE>
From: Markus Friedl <Markus.Friedl@INFORMATIK.UNI-ERLANGEN.DE>
X-To: ssh@clinet.fi
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10102111351490.22997-100000@mystery.acr.fi>; from
ylo@ssh.com on Sun, Feb 11, 2001 at 01:53:13PM +0200
Tatu Ylonen wrote:
> > > It's real enough for most vendors to respond. I think you want
> > > to make sure your servers have at least 1.2.30/2.4.0 or
> > > openssh 2.3.0p1 at this point.
> >
> > well, 1.2.30 does not contain a fix for this problem.
>
> No, but the current version is ssh-2.4.0, which does not suffer from this
> problem at all.
Well, you have to be very careful.
This is only true if ssh-2.4.0 has fallback to ssh1 disabled
and since the posting says "1.2.30/2.4.0" it implies that ssh1 support
is enabled.
So I'd like to point out again that:
1) ssh-2.4.0 is vulnerable iff fallback to ssh1 is enabled
(unless if falls back to openssh-2.3.0p1, but I assume that
this is very unlikely).
2) openssh-2.3.0p1 is _not_ vulnerable at all.
Note that it's not unlikely that ssh-2.x installations have ssh1 fallback
_enabled_ (> 50% in the network I did check).
-m
