[15656] in bugtraq
Re: Kerberos security vulnerability in SSH-1.2.27
daemon@ATHENA.MIT.EDU (Atro Tossavainen)
Thu Jul 6 14:05:35 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <200007061427.e66ERDZ32704@sirppi.helsinki.fi>
Date: Thu, 6 Jul 2000 17:27:13 +0300
Reply-To: Atro.Tossavainen@helsinki.fi
From: Atro Tossavainen <atossava@CC.HELSINKI.FI>
X-To: jts28@CORNELL.EDU
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.SOL.3.91.1000705080847.15496C-100000@travelers.mail.cornell.edu> from "Schlachter, Jake" at "Jul 5,
2000 08:44:15 am"
Dear Jake,
> Just posting to note that there is indeed a ssh-1.2.28 release, but lo!
> also a 1.2.29.
And now, also a 1.2.30. This fixes bugs reported ages ago:
* the server accepting unsupported ciphers (notably "none") if so
requested by clients, even though the server itself wasn't compiled
with "--with-none";
* a syslog handle hogging bug that would cause problems on large
multi-user IRIX machines;
* and another bug that would sometimes truncate scp transfers.
The license issues remain as you said.
> Question for the Group: isn't the version 1.x license the only reason for
> the 1.5 protocol's continued use? (aside from compatibility reasons,
> which could probably be cleaned up were it not for the ver 2.x license)
Compatibility reasons indeed. For example, there is no AFS support for
2.x. I am aware of the fact that the support in 1.x is third-party.
Are there other free SSH2 clients than OpenSSH? Particularly, anything
for anything else but UNIX? That might also be an issue.
--
Atro Tossavainen (Mr.), Systems Analyst, contact info at URL, +358-9-19158939
The Institute of Biotechnology at the University of Helsinki, Finland employs
me, but my opinions are my own. They are welcome to them, if they want them.
< URL : http : / / www . iki . fi / atro . tossavainen / >
