[18687] in bugtraq
FORW: Re: Bug in SSH1 secure-RPC support can expose users'
daemon@ATHENA.MIT.EDU (Dan Harkless)
Thu Jan 18 14:29:25 2001
Message-Id: <200101180215.SAA16586@dilvish.speed.net>
Date: Wed, 17 Jan 2001 18:15:30 -0800
Reply-To: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
From: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
For some reason my Bugtraq post where I asked the below questions was not
approved (I guess the patches URL issue had been resolved by moderation
time, but the affected versions issue had not -- the advisory only makes
reference to 1.2.30).
Therefore, I sent the questions to ssh.com directly. Below is the response.
------- Forwarded Message
Message-ID: <3A661F71.1553A3AC@ssh.com>
Date: Wed, 17 Jan 2001 14:40:49 -0800
From: Stephanie Thomas <steph@ssh.com>
Organization: SSH Communications Security Inc.
To: Dan Harkless <dan-bugtraq@dilvish.speed.net>
Subject: Re: Bug in SSH1 secure-RPC support can expose users' private keys
References: <20010116091449.A2299@ssh.com> <200101172045.MAA15310@dilvish.speed.net>
Hi Dan,
All versions of SSH1, from 1.2.30 back (including 1.2.27),
are vulnerable.
Sorry about the incorrect url. Here's the correct one:
http://www.ssh.com/ssh/patches.html
Best Regards,
Steph
Dan Harkless wrote:
>
> ssh2-bugs@ssh.com writes:
> > There is a bug in SSH-1.2.30
>
> So is 1.2.27 not vulnerable?
>
> > involving Secure RPC. The patch for this is available at
> > http://www.ssh.com/patches.html.
>
> No it isn't. That just gets a 404.
>
> ----------------------------------------------------------------------
> Dan Harkless | To prevent SPAM contamination, please
> dan-bugtraq@dilvish.speed.net | do not mention this private email
> SpeedGate Communications, Inc. | address in Usenet posts. Thank you.
- --
Stephanie Thomas
Technical Support Specialist
SSH Communications Security Inc.
1076A E. Meadows Circle
Palo Alto, CA 94303
ssh-support@ssh.com
Conference NOTE: I will be out January 28, 2001 thru
February 3, 2001 for the SANS conference. I will be checking
email, but connectivity may be sporadic. When sending email
regarding support, please be sure to cc: ssh-support@ssh.com
to ensure that your request will be handled during my absence.
------- End of Forwarded Message
----------------------------------------------------------------------
Dan Harkless | To prevent SPAM contamination, please
dan-bugtraq@dilvish.speed.net | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts. Thank you.
