[21845] in bugtraq
RE: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0
daemon@ATHENA.MIT.EDU (Stephanie Thomas)
Wed Jul 25 14:10:35 2001
From: "Stephanie Thomas" <customer.service@ssh.com>
To: "Emre Yildirim" <emre@vsrc.uab.edu>, <bugtraq@securityfocus.com>
Date: Wed, 25 Jul 2001 10:17:35 -0700
Message-ID: <FNEKKFMHLBAMAHPEHBLMAEAJCAAA.customer.service@ssh.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
In-Reply-To: <1101.138.26.156.4.995933493.squirrel@www.vsrc.uab.edu>
Hi Emre,
We have tested OpenBSD and NetBSD, and have found
that they do not experience this vulnerability,
even with ssh 3.0.0 installed.
This is most likely due to the method used to encrypt the
password in /etc/passwd or /etc/shadow.
Best Regards,
Steph
-----Original Message-----
From: Emre Yildirim [mailto:emre@vsrc.uab.edu]
Sent: Monday, July 23, 2001 5:12 PM
To: bugtraq@securityfocus.com
Cc: customer.service@ssh.com
Subject: RE: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0
> SSH Secure Shell 3.0.0 does not ship with any
> of the operating systems mentioned, nor does the
> announcement specify that it does. However, if a
> user has explicitly installed SSH Secure Shell 3.0.0
> on any of the listed operating systems, they are
> vulnerable to this potential exploit.
>
I don't want to drag this boring thread any longer, but in
your advisory, it stated that OpenBSD and NetBSD were
not vulnerable. So...if I install SSH 3.0.0 on one of those
(even though the already come with openssh), ssh will not
be vulnerable to this bug? Or will it? I think that part
created a little confusion.
Cheers
