On Wed, Jan 19, 2000 at 12:53:58PM -0500, Michael J. McGillick wrote: > Afternoon Everyone: > A buddy of mine believes that I'm running an insecure version of SSH. My > current version is: > ssh-1.2.27-5us Possibly so... If that implies that you are running the US version of ssh 1.2.27 which includes RSAREF2, then yes, you are running an insecure version due to two buffer overflow problems, one in the rsaglue routines used to shim RSAREF2 into ssh and the other in RSAREF2 itself. > How do I tell if my version is insecure, and where would I get the latest > version from? I'm unaware that there has been an official "fix" for ssh-1.2.27. I would love to be proven wrong on that, but I've heard nothing. There are some "unoffical" patches out there. One fixes the rsaglue problem and RSA has "blessed" a patch to RSAREF2 to address the other. I have neither. It is possible that the "27-5" may incorporate those patches, but I really don't think I would trust it. I have switched over to OpenSSH <www.openssh.org>. It's not subject to these problems. You can also switch to the International version of ssh which uses the International version of the RSA libraries. If you are in the US, that violates the RSA patent until it expires in October. > - Mike Mike -- Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED] (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! -- To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe" as the Subject.