A quick question concerning such things... I have a remote server that I do not trust myself to upgrade from Potato(e) to Woody, and such vulnerabilities do worry me a little. Is there any general expectation that such "back porting" will continue once Woody is released?
Curt- -----Original Message----- From: Jo Fahlke [mailto:[EMAIL PROTECTED]] Sent: Monday, November 12, 2001 19:45 To: Michal Kara Cc: [EMAIL PROTECTED] Subject: Re: Vulnerable SSH versions Am Mon, 12. Nov 2001, 11:30:49 +0100 schrieb Michal Kara: > Hi there! > > During this weekend, there has been paper posted to bugtraq named "Analysis of > SSH crc32 compensation attack detector exploit". It talks about a recorded > successful exploit using overflow in CRC32 compensation attack detection code, a > hole, which was discovered in February this year. > > In the appendices, there is also program checking if you are vulnerable by > checking the version string SSH daemon produces on connect. The newest Dewbian > Potato version produces string "SSH-1.5-OpenSSH-1.2.3" which is listed as > vulnerable to this security hole. However, the Debian advisory released in > February says refers to version 1.2.3 as having this fixed... > > So how it is? Who is wrong? > > Thanks, > Michal Check out the thread starting at http://lists.debian.org/debian-security/2001/debian-security-200111/msg0 0025.html Basicly, in Debian potato the fix was backported to the old Version of ssh so it should be safe. Jö. -- If God had intended Man to Smoke, He would have set him on Fire. -- fortune -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]