[19925] in bugtraq

home help back first fref pref prev next nref lref last post

Trustix Security Advisory #2001-0002 - OpenSSH

daemon@ATHENA.MIT.EDU (tsl@TRUSTIX.COM)
Thu Mar 29 14:28:05 2001

Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID:  <20010329135825.B3378@thunder.trustix.com>
Date:         Thu, 29 Mar 2001 13:58:25 +0200
Reply-To: tsl@TRUSTIX.COM
From: tsl@TRUSTIX.COM
X-To:         tsl-announce@trustix.org
To: BUGTRAQ@SECURITYFOCUS.COM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2001-0002

Package name:      OpenSSH
Severity:          Possible to determine password length
Date:              2001-03-29
Affected versions: TSL 1.01, 1.1, 1.2

- --------------------------------------------------------------------------

Problem description:
    From the release notes of Portable OpenSSH-2.5.2p2:
    Security related changes:
        Improved countermeasure against "Passive Analysis of SSH
        (Secure Shell) Traffic"
        http://openwall.com/advisories/OW-003-ssh-traffic-analysis.txt

        The countermeasures introduced in earlier OpenSSH-2.5.x versions
        caused interoperability problems with some other implementations.

        Improved countermeasure against "SSH protocol 1.5 session
        key recovery vulnerability"
        http://www.core-sdi.com/advisories/ssh1_sessionkey_recovery.htm


Action:
  We recommend all systems which has this package installed to be upgraded.

Location:
  All TSL updates are available from
  <URL:http://www.trusix.net/pub/Trustix/updates/>
  <URL:ftp://ftp.trusix.net/pub/Trustix/updates/>

Users of the SWUP tool, can enjoy having the security updates
automatically installed using 'swup --upgrade'.

Get SWUP from:
ftp://ftp.trustix.net/pub/Trustix/software/swup/


Questions?
Check out our mailinglists:
http://www.trustix.net/support/


Verification:
This advisory is signed with the TSL sign key.  It is available from:
http://www.trustix.net/TSL-GPG-KEY


Trustix Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6wyAzwRTcg4BxxS0RAodOAJ9G9BtOZaTpzYpbSkJDhXqKEn2ySwCfSXtq
52GvTRB1mSqAg+8difECgQk=
=MEis
-----END PGP SIGNATURE-----
--
Trustix Secure Linux Advisor
Homepage:           http://www.trustix.net/
Errata:             http://www.trustix.net/errata/
Automatic updates:  http://www.trustix.net/pub/Trustix/software/swup/
home help back first fref pref prev next nref lref last post