[21765] in bugtraq
Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0
daemon@ATHENA.MIT.EDU (Marcus Meissner)
Sun Jul 22 00:52:24 2001
Date: Sun, 22 Jul 2001 00:48:58 +0200
Message-Id: <200107212248.f6LMmwi31696@ns.caldera.de>
From: Marcus Meissner <mm@ns.caldera.de>
To: customer.service@ssh.com (\"Stephanie Thomas\"), bugtraq@securityfocus.com,
okir@caldera.de
In-Reply-To: <FNEKKFMHLBAMAHPEHBLMCEAGCAAA.customer.service@ssh.com>
In article <FNEKKFMHLBAMAHPEHBLMCEAGCAAA.customer.service@ssh.com> you wrote:
> Dear Secure Shell Community,
> A potential remote root exploit has been discovered
> in SSH Secure Shell 3.0.0, for Unix only, concerning
> accounts with password fields consisting of two or
> fewer characters. Unauthorized users could potentially
> log in to these accounts using any password, including
> an empty password. This affects SSH Secure Shell 3.0.0
> for Unix only. This is a problem with password
> authentication to the sshd2 daemon. The SSH Secure
> Shell client binaries (located by default in
> /usr/local/bin) are not affected.
> SSH Secure Shell 3.0.1 fixes this problem.
> ...
> ... Vulnerable ...
> ...
> Caldera Linux 2.4
Caldera is not shipping the commercial version of SSH in its Linux
distribtuins and so is NOT vulnerable except in cases where the
administrator installed the commercial version of SSH.
We are instead providing OpenSSH version 2.9p2 for all supported platforms,
which is not affected by above flaw.
Ciao, Marcus
--
_____ ___
/ __/____/ / Caldera (Deutschland) GmbH
/ /_/ __ / /__ Naegelsbachstr. 49c, 91052 Erlangen
/_____//_/ /____/ Dipl. Inf. Marcus Meissner, email: mm@caldera.de
==== /_____/ ====== phone: ++49 9131 7912-300, fax: ++49 9131 7192-399
Caldera OpenLinux
