On Wed, Jan 19, 2000 at 12:53:58PM -0500, Michael J. McGillick wrote:
> Afternoon Everyone:
> A buddy of mine believes that I'm running an insecure version of SSH. My
> current version is:
> ssh-1.2.27-5us
Possibly so...
If that implies that you are running the US version of ssh 1.2.27
which includes RSAREF2, then yes, you are running an insecure version
due to two buffer overflow problems, one in the rsaglue routines used
to shim RSAREF2 into ssh and the other in RSAREF2 itself.
> How do I tell if my version is insecure, and where would I get the latest
> version from?
I'm unaware that there has been an official "fix" for ssh-1.2.27.
I would love to be proven wrong on that, but I've heard nothing. There are
some "unoffical" patches out there. One fixes the rsaglue problem and
RSA has "blessed" a patch to RSAREF2 to address the other. I have neither.
It is possible that the "27-5" may incorporate those patches, but I really
don't think I would trust it.
I have switched over to OpenSSH <www.openssh.org>. It's not
subject to these problems.
You can also switch to the International version of ssh which
uses the International version of the RSA libraries. If you are in the
US, that violates the RSA patent until it expires in October.
> - Mike
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
