Re: Which ssh should I have?
It seems that this discussion has been due to an over-zealous sysadmin. If one will check the Nessus documentation (mailing lists), such false positives have been throughly debated. Many of the scan scripts (nasl plugins) only check version numbers. Owing to this paradigm, nessus outputs warnings in the log file concerning such false indicators. I have recently run the latest experimental (cvs) release of Nessus against Potato. A security-hole is indicated along with a **Warning** of a possible false positive. The only way to fix the false positive problem would be to have Nessus actually crack the target. This idea is greatly frowned upon! Bottom line is that Potato ssh is secure relative to the CRC 32 compensation attack. You might inform your sysadmin to check the Nessus mailing list archive or subscribe to it. Albeit, VERY nicely though! :p -Walter [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which ssh should I have?
It seems that this discussion has been due to an over-zealous sysadmin. If one will check the Nessus documentation (mailing lists), such false positives have been throughly debated. Many of the scan scripts (nasl plugins) only check version numbers. Owing to this paradigm, nessus outputs warnings in the log file concerning such false indicators. I have recently run the latest experimental (cvs) release of Nessus against Potato. A security-hole is indicated along with a **Warning** of a possible false positive. The only way to fix the false positive problem would be to have Nessus actually crack the target. This idea is greatly frowned upon! Bottom line is that Potato ssh is secure relative to the CRC 32 compensation attack. You might inform your sysadmin to check the Nessus mailing list archive or subscribe to it. Albeit, VERY nicely though! :p -Walter [EMAIL PROTECTED]
Re: Which ssh should I have?
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: CERT tells me Debian potato is vulnerable. We might want to correct them if they are wong. http://www.cert.org/incident_notes/IN-2001-12.html http://www.kb.cert.org/vuls/id/945216 tells me: Vender Status Date updated Debian Vulnerable 2-Nov-2001 OpenSSH on Debian is right, but ssh-nonfree is still vulnerable. See http://bugs.debian.org/85725 -- NOKUBI Takatsugu E-mail: [EMAIL PROTECTED] [EMAIL PROTECTED] / [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which ssh should I have?
* NOKUBI Takatsugu [EMAIL PROTECTED] [011109 09:53]: Vender Status Date updated Debian Vulnerable 2-Nov-2001 OpenSSH on Debian is right, but ssh-nonfree is still vulnerable. See http://bugs.debian.org/85725 It seems that some people think that even ssh in potato is unsafe. The low version number attracts crackers or something. It also irritates netadmins that nessus complains about potato-ssh every time they scan the network. Is there any harm from installing ssh from woody on potato? This does not apply in my case, but I'd like to know. Best, Ville -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which ssh should I have?
On Fri, Nov 09, 2001 at 11:26:49AM +0100, Ville Uski wrote: Is there any harm from installing ssh from woody on potato? This does not apply in my case, but I'd like to know. No harm beyond getting it built right (no binary installs from woody/sid into potato), and realizing that security.debian.org won't automagically post fixes for that package. Something like: apt-get source ssh cd (opensshdir) grep Build-Depends: debian/control (install those packages, possibly edit the Depends: line of debian/control if they've entered something that simply doesn't exist in potato) dpkg-buildpackage cd .. ; dpkg -i ssh*deb -- Mike Renfro / RD Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which ssh should I have?
On Fri, Nov 09, 2001 at 11:26:49AM +0100, Ville Uski wrote: Is there any harm from installing ssh from woody on potato? This does not apply in my case, but I'd like to know. you can't, the dependencies will drag in half of woody. you can backport the woody ssh packages to potato however. -- Ethan Benson http://www.alaska.net/~erbenson/ msg04116/pgp0.pgp Description: PGP signature
Re: Which ssh should I have?
* Ethan Benson [EMAIL PROTECTED] [011109 16:41]: Is there any harm from installing ssh from woody on potato? This does not apply in my case, but I'd like to know. you can't, the dependencies will drag in half of woody. I suspected that, and suggested to a friend of mine to upgrade to woody. He runs potato (which I installed ;-), but since the ssh in potato is supposed to be unsafe (which may sound funny), he has to do the backport or dist-upgrade. The latter looks easier, and almost everybody run woody or sid anyway. Thanks for helps to all. /Ville -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which ssh should I have?
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: CERT tells me Debian potato is vulnerable. We might want to correct them if they are wong. http://www.cert.org/incident_notes/IN-2001-12.html http://www.kb.cert.org/vuls/id/945216 tells me: Vender Status Date updated Debian Vulnerable 2-Nov-2001 OpenSSH on Debian is right, but ssh-nonfree is still vulnerable. See http://bugs.debian.org/85725 -- NOKUBI Takatsugu E-mail: [EMAIL PROTECTED] [EMAIL PROTECTED] / [EMAIL PROTECTED]
Re: Which ssh should I have?
* NOKUBI Takatsugu [EMAIL PROTECTED] [011109 09:53]: Vender Status Date updated Debian Vulnerable 2-Nov-2001 OpenSSH on Debian is right, but ssh-nonfree is still vulnerable. See http://bugs.debian.org/85725 It seems that some people think that even ssh in potato is unsafe. The low version number attracts crackers or something. It also irritates netadmins that nessus complains about potato-ssh every time they scan the network. Is there any harm from installing ssh from woody on potato? This does not apply in my case, but I'd like to know. Best, Ville
Re: Which ssh should I have?
On Fri, Nov 09, 2001 at 11:26:49AM +0100, Ville Uski wrote: Is there any harm from installing ssh from woody on potato? This does not apply in my case, but I'd like to know. No harm beyond getting it built right (no binary installs from woody/sid into potato), and realizing that security.debian.org won't automagically post fixes for that package. Something like: apt-get source ssh cd (opensshdir) grep Build-Depends: debian/control (install those packages, possibly edit the Depends: line of debian/control if they've entered something that simply doesn't exist in potato) dpkg-buildpackage cd .. ; dpkg -i ssh*deb -- Mike Renfro / RD Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED]
Re: Which ssh should I have?
On Fri, Nov 09, 2001 at 11:26:49AM +0100, Ville Uski wrote: Is there any harm from installing ssh from woody on potato? This does not apply in my case, but I'd like to know. you can't, the dependencies will drag in half of woody. you can backport the woody ssh packages to potato however. -- Ethan Benson http://www.alaska.net/~erbenson/ pgp0b1P2F7F59.pgp Description: PGP signature
Re: Which ssh should I have?
* Ethan Benson [EMAIL PROTECTED] [011109 16:41]: Is there any harm from installing ssh from woody on potato? This does not apply in my case, but I'd like to know. you can't, the dependencies will drag in half of woody. I suspected that, and suggested to a friend of mine to upgrade to woody. He runs potato (which I installed ;-), but since the ssh in potato is supposed to be unsafe (which may sound funny), he has to do the backport or dist-upgrade. The latter looks easier, and almost everybody run woody or sid anyway. Thanks for helps to all. /Ville
Re: Which ssh should I have?
Wichert Akkerman [EMAIL PROTECTED] immo vero scripsit That's because nessus only checks the version number, and since we backported the patch we still have the old version number even though we are safe. CERT tells me Debian potato is vulnerable. We might want to correct them if they are wong. http://www.cert.org/incident_notes/IN-2001-12.html http://www.kb.cert.org/vuls/id/945216 tells me: Vender Status Date updated Debian Vulnerable 2-Nov-2001 regards, junichi -- [EMAIL PROTECTED] http://www.netfort.gr.jp/~dancer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which ssh should I have?
Wichert Akkerman [EMAIL PROTECTED] immo vero scripsit That's because nessus only checks the version number, and since we backported the patch we still have the old version number even though we are safe. CERT tells me Debian potato is vulnerable. We might want to correct them if they are wong. http://www.cert.org/incident_notes/IN-2001-12.html http://www.kb.cert.org/vuls/id/945216 tells me: Vender Status Date updated Debian Vulnerable 2-Nov-2001 regards, junichi -- [EMAIL PROTECTED] http://www.netfort.gr.jp/~dancer
Re: Which ssh should I have?
Where can I get the opensource ssh? tks On Wed, 07 Nov 2001, Ville Uski wrote: Hi, I just joined the list after the admin of the network in my house had complained that sshd running in my computer is remotely exploitable. I asked for more details and he only said it's the bug in the crc32 bit. He also told me to install the newest version of openssh. The problem is now which package I should install. I tried ssh-nonfree, but it complained that some of the dependences is not installable. I'm not very familiar with this issue. I couldn't find much information on it on debian pages. The ssh package I currently have is ssh_1.2.3-9.3_i386.deb. I have understood that the crc32 bug was already found in February so I find it hard to believe that it's not already fixed on debian (I'm running woody on a laptop PC). I should have all the security fixes installed on my system (there is this security.debian.org line on my sources.list file). Thanks for any information, Ville -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- ___ Osvaldo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Which ssh should I have?
Hello, www.freshmeat.net Or if your running debian do an apt-get install ssh (most recommended) Ed -Original Message- From: Osvaldo Mundim Junior [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 07, 2001 7:47 AM To: [EMAIL PROTECTED] Subject: Re: Which ssh should I have? Where can I get the opensource ssh? tks On Wed, 07 Nov 2001, Ville Uski wrote: Hi, I just joined the list after the admin of the network in my house had complained that sshd running in my computer is remotely exploitable. I asked for more details and he only said it's the bug in the crc32 bit. He also told me to install the newest version of openssh. The problem is now which package I should install. I tried ssh-nonfree, but it complained that some of the dependences is not installable. I'm not very familiar with this issue. I couldn't find much information on it on debian pages. The ssh package I currently have is ssh_1.2.3-9.3_i386.deb. I have understood that the crc32 bug was already found in February so I find it hard to believe that it's not already fixed on debian (I'm running woody on a laptop PC). I should have all the security fixes installed on my system (there is this security.debian.org line on my sources.list file). Thanks for any information, Ville -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- ___ Osvaldo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which ssh should I have?
On Wed, 07 Nov 2001, Ville Uski wrote: The ssh package I currently have is ssh_1.2.3-9.3_i386.deb. I have understood that the crc32 bug was already found in February so I find it hard to believe that it's not already fixed on debian (I'm running woody on a laptop PC). I should have all the security fixes installed on my system (there is this security.debian.org line on my sources.list file). Here you find a reference to the vuln, fixed. http://www.debian.org/security/2001/dsa-027 greets Jigal -- Gelukkig is het met de links radicalen goed afgelopen. Het zijn nu wethouders, kamerleden, burgemeesters. -ontbijtv -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which ssh should I have?
On Wed, 07 Nov 2001, jigal wrote: Here you find a reference to the vuln, fixed. http://www.debian.org/security/2001/dsa-027 I am sorry I found by reading it again it doesn't mention it. But I found this in the archives of the security mailinglist: http://lists.debian.org/debian-security/2001/debian-security-200102/msg00138.html The previous mail in the thread references to: http://razor.bindview.com/publish/advisories/adv_ssh1crc.html Which is the vuln in question. You could however grab the source of ssh from the unstable tree and compile it yourself. Regards, Jigal -- In short, his argument is that Holland, Germany and France (the biggest critic of Echelon) are bigger buggers of their own citizens than the Anglo-Saxon nations they're so paranoid about. -John Leyden The Register -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which ssh should I have?
* jigal [EMAIL PROTECTED] [011107 14:20]: But I found this in the archives of the security mailinglist: http://lists.debian.org/debian-security/2001/debian-security-200102/msg00138.html The previous mail in the thread references to: http://razor.bindview.com/publish/advisories/adv_ssh1crc.html Which is the vuln in question. Thanks! You could however grab the source of ssh from the unstable tree and compile it yourself. Hm, why should I do that? Is my admin right when he thinks that my current sshd is vulnerable? I have the latest stable precompiled package, i.e. the default ssh installed. Well, I can compile it anyway. Hopefully it convinces the admin. Best, Ville -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which ssh should I have?
In message [EMAIL PROTECTED], Ville Uski writes: * jigal [EMAIL PROTECTED] [011107 14:20]: But I found this in the archives of the security mailinglist: http://lists.debian.org/debian-security/2001/debian-security-200102/msg00138 .html The previous mail in the thread references to: http://razor.bindview.com/publish/advisories/adv_ssh1crc.html Which is the vuln in question. Hm, why should I do that? Is my admin right when he thinks that my current sshd is vulnerable? I have the latest stable precompiled package, i.e. the default ssh installed. Make sure that you have the security site in your /etc/apt/sources.list file. If you do, and apt-get update; apt-get upgrade says you're up to date, then you're fine. In general, the security team patches the current version to fix security bugs in stable rather than upgrade to a newer version. That could be confusing your sysadmin. The CRC bug was patched in debian as of ssh version 1.2.3-9.2. You can look at the changelog in /usr/share/doc/ssh/changelog.Debian.gz for specific information. -- Ted Cabeen http://www.pobox.com/~secabeen[EMAIL PROTECTED] Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED] I have taken all knowledge to be my province. -F. Bacon [EMAIL PROTECTED] Human kind cannot bear very much reality.-T.S.Eliot[EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which ssh should I have?
* Ted Cabeen [EMAIL PROTECTED] [011107 18:11]: Make sure that you have the security site in your /etc/apt/sources.list file. If you do, and apt-get update; apt-get upgrade says you're up to date, then you're fine. In general, the security team patches the current version to fix security bugs in stable rather than upgrade to a newer version. That could be confusing your sysadmin. The CRC bug was patched in debian as of ssh version 1.2.3-9.2. You can look at the changelog in /usr/share/doc/ssh/changelog.Debian.gz for specific information. Thanks for info. Yes, I have that line in my sources.list, and I also believe I am fine. Our network admin used the nessus ssh plugin to scan the network. He only says that nessus gives a warning about my computer (concerning the crc bug) and knows nothing more. He uses debian himself but with openssh 2.9p. In his case nessus doesn't complain. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which ssh should I have?
Quoting Ted Cabeen ([EMAIL PROTECTED]): Hm, why should I do that? Is my admin right when he thinks that my current sshd is vulnerable? I have the latest stable precompiled package, i.e. the default ssh installed. Make sure that you have the security site in your /etc/apt/sources.list file. If you do, and apt-get update; apt-get upgrade says you're up to date, then you're fine. In general, the security team patches the current version to fix security bugs in stable rather than upgrade to a newer version. That could be confusing your sysadmin. The CRC bug was patched in debian as of ssh version 1.2.3-9.2. You can look at the changelog in /usr/share/doc/ssh/changelog.Debian.gz for specific information. The original posting was ... (I'm running woody on a laptop PC). I should have all the security fixes installed on my system (there is this security.debian.org line on my sources.list file). One has to be a little more careful than that if one is running woody (i.e. not stable) because security-patched versions for potato may be seen as downgrades by one's system, and apt-get may ignore them. Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which ssh should I have?
Previously Ville Uski wrote: Thanks for info. Yes, I have that line in my sources.list, and I also believe I am fine. Our network admin used the nessus ssh plugin to scan the network. He only says that nessus gives a warning about my computer (concerning the crc bug) and knows nothing more. That's because nessus only checks the version number, and since we backported the patch we still have the old version number even though we are safe. Wichert. -- _ [EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which ssh should I have?
* Wichert Akkerman [EMAIL PROTECTED] [011107 18:54]: That's because nessus only checks the version number, and since we backported the patch we still have the old version number even though we are safe. This also occurred to me, but appeared too trivial a solution... Well, I guess that's it. /Ville -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which ssh should I have?
Where can I get the opensource ssh? tks On Wed, 07 Nov 2001, Ville Uski wrote: Hi, I just joined the list after the admin of the network in my house had complained that sshd running in my computer is remotely exploitable. I asked for more details and he only said it's the bug in the crc32 bit. He also told me to install the newest version of openssh. The problem is now which package I should install. I tried ssh-nonfree, but it complained that some of the dependences is not installable. I'm not very familiar with this issue. I couldn't find much information on it on debian pages. The ssh package I currently have is ssh_1.2.3-9.3_i386.deb. I have understood that the crc32 bug was already found in February so I find it hard to believe that it's not already fixed on debian (I'm running woody on a laptop PC). I should have all the security fixes installed on my system (there is this security.debian.org line on my sources.list file). Thanks for any information, Ville -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- ___ Osvaldo
RE: Which ssh should I have?
Hello, www.freshmeat.net Or if your running debian do an apt-get install ssh (most recommended) Ed -Original Message- From: Osvaldo Mundim Junior [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 07, 2001 7:47 AM To: debian-security@lists.debian.org Subject: Re: Which ssh should I have? Where can I get the opensource ssh? tks On Wed, 07 Nov 2001, Ville Uski wrote: Hi, I just joined the list after the admin of the network in my house had complained that sshd running in my computer is remotely exploitable. I asked for more details and he only said it's the bug in the crc32 bit. He also told me to install the newest version of openssh. The problem is now which package I should install. I tried ssh-nonfree, but it complained that some of the dependences is not installable. I'm not very familiar with this issue. I couldn't find much information on it on debian pages. The ssh package I currently have is ssh_1.2.3-9.3_i386.deb. I have understood that the crc32 bug was already found in February so I find it hard to believe that it's not already fixed on debian (I'm running woody on a laptop PC). I should have all the security fixes installed on my system (there is this security.debian.org line on my sources.list file). Thanks for any information, Ville -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- ___ Osvaldo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which ssh should I have?
On Wed, 07 Nov 2001, Ville Uski wrote: The ssh package I currently have is ssh_1.2.3-9.3_i386.deb. I have understood that the crc32 bug was already found in February so I find it hard to believe that it's not already fixed on debian (I'm running woody on a laptop PC). I should have all the security fixes installed on my system (there is this security.debian.org line on my sources.list file). Here you find a reference to the vuln, fixed. http://www.debian.org/security/2001/dsa-027 greets Jigal -- Gelukkig is het met de links radicalen goed afgelopen. Het zijn nu wethouders, kamerleden, burgemeesters. -ontbijtv
Re: Which ssh should I have?
On Wed, 07 Nov 2001, jigal wrote: Here you find a reference to the vuln, fixed. http://www.debian.org/security/2001/dsa-027 I am sorry I found by reading it again it doesn't mention it. But I found this in the archives of the security mailinglist: http://lists.debian.org/debian-security/2001/debian-security-200102/msg00138.html The previous mail in the thread references to: http://razor.bindview.com/publish/advisories/adv_ssh1crc.html Which is the vuln in question. You could however grab the source of ssh from the unstable tree and compile it yourself. Regards, Jigal -- In short, his argument is that Holland, Germany and France (the biggest critic of Echelon) are bigger buggers of their own citizens than the Anglo-Saxon nations they're so paranoid about. -John Leyden The Register
Re: Which ssh should I have?
* jigal [EMAIL PROTECTED] [011107 14:20]: But I found this in the archives of the security mailinglist: http://lists.debian.org/debian-security/2001/debian-security-200102/msg00138.html The previous mail in the thread references to: http://razor.bindview.com/publish/advisories/adv_ssh1crc.html Which is the vuln in question. Thanks! You could however grab the source of ssh from the unstable tree and compile it yourself. Hm, why should I do that? Is my admin right when he thinks that my current sshd is vulnerable? I have the latest stable precompiled package, i.e. the default ssh installed. Well, I can compile it anyway. Hopefully it convinces the admin. Best, Ville
Re: Which ssh should I have?
In message [EMAIL PROTECTED], Ville Uski writes: * jigal [EMAIL PROTECTED] [011107 14:20]: But I found this in the archives of the security mailinglist: http://lists.debian.org/debian-security/2001/debian-security-200102/msg00138 .html The previous mail in the thread references to: http://razor.bindview.com/publish/advisories/adv_ssh1crc.html Which is the vuln in question. Hm, why should I do that? Is my admin right when he thinks that my current sshd is vulnerable? I have the latest stable precompiled package, i.e. the default ssh installed. Make sure that you have the security site in your /etc/apt/sources.list file. If you do, and apt-get update; apt-get upgrade says you're up to date, then you're fine. In general, the security team patches the current version to fix security bugs in stable rather than upgrade to a newer version. That could be confusing your sysadmin. The CRC bug was patched in debian as of ssh version 1.2.3-9.2. You can look at the changelog in /usr/share/doc/ssh/changelog.Debian.gz for specific information. -- Ted Cabeen http://www.pobox.com/~secabeen[EMAIL PROTECTED] Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED] I have taken all knowledge to be my province. -F. Bacon [EMAIL PROTECTED] Human kind cannot bear very much reality.-T.S.Eliot[EMAIL PROTECTED]
Re: Which ssh should I have?
* Ted Cabeen [EMAIL PROTECTED] [011107 18:11]: Make sure that you have the security site in your /etc/apt/sources.list file. If you do, and apt-get update; apt-get upgrade says you're up to date, then you're fine. In general, the security team patches the current version to fix security bugs in stable rather than upgrade to a newer version. That could be confusing your sysadmin. The CRC bug was patched in debian as of ssh version 1.2.3-9.2. You can look at the changelog in /usr/share/doc/ssh/changelog.Debian.gz for specific information. Thanks for info. Yes, I have that line in my sources.list, and I also believe I am fine. Our network admin used the nessus ssh plugin to scan the network. He only says that nessus gives a warning about my computer (concerning the crc bug) and knows nothing more. He uses debian himself but with openssh 2.9p. In his case nessus doesn't complain.
Re: Which ssh should I have?
Previously Ville Uski wrote: Thanks for info. Yes, I have that line in my sources.list, and I also believe I am fine. Our network admin used the nessus ssh plugin to scan the network. He only says that nessus gives a warning about my computer (concerning the crc bug) and knows nothing more. That's because nessus only checks the version number, and since we backported the patch we still have the old version number even though we are safe. Wichert. -- _ /[EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
Re: Which ssh should I have?
Quoting Ted Cabeen ([EMAIL PROTECTED]): Hm, why should I do that? Is my admin right when he thinks that my current sshd is vulnerable? I have the latest stable precompiled package, i.e. the default ssh installed. Make sure that you have the security site in your /etc/apt/sources.list file. If you do, and apt-get update; apt-get upgrade says you're up to date, then you're fine. In general, the security team patches the current version to fix security bugs in stable rather than upgrade to a newer version. That could be confusing your sysadmin. The CRC bug was patched in debian as of ssh version 1.2.3-9.2. You can look at the changelog in /usr/share/doc/ssh/changelog.Debian.gz for specific information. The original posting was ... (I'm running woody on a laptop PC). I should have all the security fixes installed on my system (there is this security.debian.org line on my sources.list file). One has to be a little more careful than that if one is running woody (i.e. not stable) because security-patched versions for potato may be seen as downgrades by one's system, and apt-get may ignore them. Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised.
Re: Which ssh should I have?
* Wichert Akkerman [EMAIL PROTECTED] [011107 18:54]: That's because nessus only checks the version number, and since we backported the patch we still have the old version number even though we are safe. This also occurred to me, but appeared too trivial a solution... Well, I guess that's it. /Ville
