--- F R E N D Z of martian --- Dunno if any of you use ssh (actually I know some do) and if you do, whether you use RSAREF, but if you do, and you do, check this warning out. ----- Original Message ----- From: Hans C. Masing <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, December 14, 1999 5:37 PM Subject: GeeK: SSH1 vulnerability > [Mod: i committed a fix for this in the OpenBSD SSH port a month ago, see > http://www.monkey.org/openbsd/archive/misc/9911/msg00374.html > i also committed this fix for RSAREF in the OpenBSD ports tree as well: > http://www.openbsd.org/cgi-bin/cvsweb/ports/security/rsaref/patches/patch-ac ?rev=1.2 > and at any rate, OpenSSH was never affected: http://www.openssh.com/ ] > > Check your SSH! > > alchemy.ifs.umich.edu [hmasing]% ssh -V > SSH Version 1.2.26 [i686-unknown-linux], protocol version 1.5. > Standard version. Does not use RSAREF. > > or: > > umiacdev[hmasing]% ssh -V > SSH Version 1.2.26 [sparc-sun-solaris2.6], protocol version 1.5. > Compiled with RSAREF. > > The latter is an issue - here's why: > > http://www.cert.org/advisories/CA-99-15-RSAREF2.html > > Some versions of sshd are vulnerable to a buffer overflow that can allow > an intruder to influence certain variables internal to the program. This > vulnerability alone does not allow an intruder to execute code. > > However, a vulnerability in RSAREF2, which was discovered and > researched by Core SDI, can be used in conjunction with the vulnerability > in sshd to allow a remote intruder to execute arbitrary code. > > Additional information about the RSAREF2 vulnerability can be found at > > http://www.core-sdi.com/advisories/buffer%20overflow%20ing.htm > > The RSAREF2 library was developed from a different code base than > other implementations of the RSA algorithm, including those from > RSA Security Inc. The vulnerability described in this advisory is > specific to the RSAREF2 library and does not imply any weakness in other > implementations of the RSA algorithm or the algorithm itself. > > - Hans > > > > -- Sent to you via the frendz list at marsbard.com The archive is at http://www.mail-archive.com/frendz@marsbard.com/