For some reason my Bugtraq post where I asked the below questions was not approved (I guess the patches URL issue had been resolved by moderation time, but the affected versions issue had not -- the advisory only makes reference to 1.2.30). Therefore, I sent the questions to ssh.com directly. Below is the response. ------- Forwarded Message Message-ID: <[EMAIL PROTECTED]> Date: Wed, 17 Jan 2001 14:40:49 -0800 From: Stephanie Thomas <[EMAIL PROTECTED]> Organization: SSH Communications Security Inc. To: Dan Harkless <[EMAIL PROTECTED]> Subject: Re: Bug in SSH1 secure-RPC support can expose users' private keys References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Hi Dan, All versions of SSH1, from 1.2.30 back (including 1.2.27), are vulnerable. Sorry about the incorrect url. Here's the correct one: http://www.ssh.com/ssh/patches.html Best Regards, Steph Dan Harkless wrote: > > [EMAIL PROTECTED] writes: > > There is a bug in SSH-1.2.30 > > So is 1.2.27 not vulnerable? > > > involving Secure RPC. The patch for this is available at > > http://www.ssh.com/patches.html. > > No it isn't. That just gets a 404. > > ---------------------------------------------------------------------- > Dan Harkless | To prevent SPAM contamination, please > [EMAIL PROTECTED] | do not mention this private email > SpeedGate Communications, Inc. | address in Usenet posts. Thank you. - -- Stephanie Thomas Technical Support Specialist SSH Communications Security Inc. 1076A E. Meadows Circle Palo Alto, CA 94303 [EMAIL PROTECTED] Conference NOTE: I will be out January 28, 2001 thru February 3, 2001 for the SANS conference. I will be checking email, but connectivity may be sporadic. When sending email regarding support, please be sure to cc: [EMAIL PROTECTED] to ensure that your request will be handled during my absence. ------- End of Forwarded Message ---------------------------------------------------------------------- Dan Harkless | To prevent SPAM contamination, please [EMAIL PROTECTED] | do not mention this private email SpeedGate Communications, Inc. | address in Usenet posts. Thank you.
