On Sat, 18 Dec 1999, Ramon Gandia wrote:
> "Ronald J. Yacketta" wrote:
> >
> > Michael Flaig wrote:
> > >
> > > Hello !
> > > How can I get SSH for Mandrake 6.1 ?
> > > It is needed for Servers ... to get Access from some remote stations ...
> > >
> > > It is not delivered with the Mandrake GPL Distribution ...
> > > I canīt find it ...
>
> The versions of ssh currently on the ftp and download sites
> is the old 1.2.27. This version has a newly discovered
> bug in the RSAREF2 module which leaves your computer wide
> open to hackers to execute root code.
>
> The 1.2.28 version should be released soon to cover this
> security hole. It would also be possible to get the
> 1.2.27 version in source form and do the security patch
> and then reinstall.
>
> ssh 2.x is not affected.
>
> I am not sure what the effect would be of getting the present
> 1.2.27 source RPM and rebuilding it with rsaref disabled. It
> may not work, but I would like to hear from people about this.
> I think if you are going to rebuild rpm's, it should be fairly
> trivial to get the source rpm, do the patch, and then rebuild
> the rpm to something like ssh-1.2.27-rsaref-good-mdk-i586.rpm
> or something like that. I have not investigated this too
> deeply yet.
>
> The CERT advisory on ssh 1.2.27 and prior just came out this
> week on Wednesday. Its a critical security hole if you have
> your /etc/hosts.deny and /etc/hosts.allow files set up to
> allow global ssh logins (most are, and is the default in that
> ssh is not mentioned in those files, leaving them wide open).
as always CERT right on top of things.. Not
Away i'm still not allowed to touch crypto, i'll see with yoann to get you
guys an update as soon as it's avaiable
> I was just on the Freshmeat and the www.ssh.org sites today,
> Saturday Dec 18, and so far ALL versions there are the
> vulnerable ones with no patches done yet.
>
>
--
MandrakeSoft http://www.mandrakesoft.com/
--Axalon
