Unfortunately the OpenSSH page is not very detailed on the problem, but I
assume it discusses the RSAREF2 vulnerability (see
http://www.cert.org/advisories/CA-99-15-RSAREF2.html) in conjunction
with SSH server.
The problem has affects only SSH1 versions prior to F-Secure SSH 1.3.7 (as
the advisory states). Furthermore, commercial users are not supposed to
use the vulnerable RSAREF library at all since F-Secure SSH 1.x is shipped
with RSA license and thus can use a RSA implementation of its own.
SSH2 clients and servers aren't known to present the same problem.
Regards,
Heikki Nousiainen
F-Secure
On Thu, 8 Jun 2000, Noel L Yap wrote:
> I just pulled the above from http://www.openssh.com/security.html. Does anyone
> have any more details about this vulnerability?
>
> Thanks,
> Noel
