[21767] in bugtraq
Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0
daemon@ATHENA.MIT.EDU (Florian Weimer)
Mon Jul 23 11:15:12 2001
To: BUGTRAQ@securityfocus.com
Cc: customer.service@ssh.com
From: Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE>
Date: 22 Jul 2001 10:03:31 +0200
In-Reply-To: <FNEKKFMHLBAMAHPEHBLMCEAGCAAA.customer.service@ssh.com> ("Stephanie Thomas"'s message of "Fri, 20 Jul 2001 17:34:02 -0700")
Message-ID: <tg3d7pfl0s.fsf@mercury.rus.uni-stuttgart.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
"Stephanie Thomas" <customer.service@ssh.com> writes:
> A potential remote root exploit has been discovered
> in SSH Secure Shell 3.0.0, for Unix only, concerning
> accounts with password fields consisting of two or
> fewer characters.
A quick glance at the source code suggests that SSH 2.3.0 and 2.4.0
have the same problem. Is this true?
> Use the following patch in the source code:
It is not quite clear whether the license agreement permits
modification of the source code.
--
Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
