Dear Sami,
> We released a new version of ssh1, ssh-1.2.28. This has the latest
> Kerberos related security fixes.
A few other recent fixes come to mind that should also be there, but
aren't:
- disallowing access via unsupported ciphers (particularly "none") from
malicious clients in sshd.c, as discovered and patched by Markus Friedl
in a Dec 1999 post to Bugtraq and forwarded to the ssh list by Jean
Chouanard on Dec 14, 1999¹;
- not hogging syslog file handles (to guard against potential problems
on large multi-user IRIX machines), as discovered and patched²
(against 1.2.26!) by James Barlow in February 1999;
- making sure scp's don't miss data at the ends of files; I am sorry
I can't attribute this change to anybody (please stand up!) and I
didn't find the patch on any search engines or the list archive
either, but it's been patched in March 2000, it's a few lines in
serverloop.c, around line 429, and essentially adds checking for
file descriptor EOF in two places.
¹ <URL:http://www.cs.hut.fi/ssh-archive/messages/991214-211116-6383>
²
<URL:http://www.ncsa.uiuc.edu/General/CC/ssh/patch_repository/descriptions/syslog_open_handle.html>
--
Atro Tossavainen (Mr.), Systems Analyst, contact info at URL, +358-9-19158939
Institute of Biotechnology, University of Helsinki, Finland
My opinions may freely be shared by my employers if they want to.
< URL : http : / / www . iki . fi / atro . tossavainen / >
