security SSH high risk

From: DFX, s.r.o. - Michal Sedlak (sedlak_at_dfx.sk)
Date: 08/31/05

Next message: Matt Zagrabelny: "Re: Sony Memory Stick Pro and Debian"

Previous message: TreeBoy: "Re: How to send hostname through DHCP more often."
Next in thread: John Hasler: "Re: security SSH high risk"
Reply: John Hasler: "Re: security SSH high risk"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: <debian-user@lists.debian.org>
Date: Wed, 31 Aug 2005 18:46:59 +0200

Hi,
I have OpenSSH
OpenSSH_3.8.1p1 Debian-8.sarge.4, OpenSSL 0.9.7e 25 Oct 2004
security audit check said that :
----------------------------------
You are running a version of SSH which is older than (or as old as) version
1.2.27. If this version was compiled against the RSAREF library, then it is
very
likely to be vulnerable to a buffer overflow which may be exploited by an
attacker to gain root privileges on your system.
To determine if you compiled ssh against the RSAREF library, type 'ssh -V'
on the remote host.

Risk factor : High
Solution : Use ssh 2.x, or do not compile ssh against the RSAREF library
-----------------------------------

Can anybody say if is that true, nad what to do with it?

ssh -V gives back -> OpenSSH_3.8.1p1 Debian-8.sarge.4, OpenSSL 0.9.7e 25 Oct
2004

Michal Sedlak
technical manager

E-mail: sedlak@dfx.sk
Mobil: +421 910 539 867
---------------------------------------
DFX, s.r.o.
Dubravska cesta 9
SK 84105 Bratislava

Tel.: +421 2 5465 0336
Fax: +421 2 5465 0337

www.dfx.sk
-------------------------------------

-- 
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Next message: Matt Zagrabelny: "Re: Sony Memory Stick Pro and Debian"

Previous message: TreeBoy: "Re: How to send hostname through DHCP more often."
Next in thread: John Hasler: "Re: security SSH high risk"
Reply: John Hasler: "Re: security SSH high risk"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

Basic setup help
... I compiled ssh on Solaris and tried to ... OpenSSH_3.1p1, SSH protocols
1.5/2.0, OpenSSL 0x0090603f ... debug1: Rhosts Authentication disabled, originating
port will not be trusted. ... (comp.security.ssh)
Re: X11Backwarding how?
... Unless I'm missing something in your question, SSH does it automatically ...
as long as you compiled SSH with the appropriate X packages, ... (SSH)
Re: two SSH compatibility scenarios: can it work?
... We are required to use SSH to log into the Engineering lab machines. ... >
server software displays this header upon telnet connection to port 22. ... I still use
Windows on my notebook for application compatibility. ... > running OpenSSH 3.4p1.
... (comp.security.ssh)
Re: OpenSSH, Telnet, Windows Authentication and double-hops
... deployment on a Windows network. ... Does this mean that you are setting
SSH port forwarding ... does not provide the other side with either a Kerberos ticket,
... We're focusing on the OpenSSH for Windows distribution. ... (comp.security.ssh)
Re: ssh compatability issues
... >> without keeping two versions of ssh around on my home computer. ...
running the OpenSSH server that comes with Solaris ... By 'some old security
problems with that' I was not sure if you meant ... (comp.security.ssh)