On Sun, 19 Dec 1999, Ronald J. Yacketta wrote:
> Denis Havlik wrote:
> >
> > :>> The versions of ssh currently on the ftp and download sites
> > :>> is the old 1.2.27. This version has a newly discovered
> > :>> bug in the RSAREF2 module which leaves your computer wide
> > :>> open to hackers to execute root code.
> > :>>
> >
> > This bug works only if you have RSAREF compiled in the ssh. That is, only
> > if you are using the us-version.
> >
> > ssh -V
> >
> > tells you if RSAREF is compiled-in.
> >
> > cu
> > Denis
> >
> > -----------------------------------------------------------
> > Denis Havlik ||| http://www.ap.univie.ac.at/users/havlik
> > (@ @) [EMAIL PROTECTED]
> > ---------oOO--(_)--OOo-------------------------------------
> checkout www.freshmeat.net and search for install-ssh-1.0.5
> I nabed that little script which went out and dl'ed the latest
> ssh and installed it for me.
Just because you have the latest doesn't mean it's secure.
Also because you've used a script means you know less about it, both the
code and what it configured.
Does this script also verify the the sig of the file it downloads? (i'm
checking sites way slow)
The point I'm getting at is you have a false sense of security. If your
not paranoid your broken into .
Finished checking, it doesn't check the sig, and it does add RSAREF.
Uninstall it like asap.
ftp://ftp.nectec.or.th/pub/mirrors/Mandrake-crypto/
ftp://ftp.tvd.be/packages/mandrake-crypto/
ftp://sunsite.mff.cuni.cz/OS/Linux/Dist/Mandrake-crypto/
ftp://ftp.uni-kl.de/pub/linux/mandrake/Mandrake-crypto/
ftp://ftp.leo.org/pub/comp/os/unix/linux/Mandrake/Mandrake-crypto/
ftp://sunsite.uio.no/pub/unix/Linux/Mandrake-crypto/
ftp://ftp.sunet.se/pub/Linux/distributions/mandrake-crypto/
ftp://crypto.linux-mandrake.com/pub/crypto/
and install this from one of the above.
RPMS/ssh-1.2.27-2mdk.i586.rpm
--
MandrakeSoft http://www.mandrakesoft.com/
--Axalon
