Date: Fri, 7 Jan 2000 16:40:31 +0100 From: Markus Friedl <markus.friedl@informatik.uni-erlangen.de> To: Dag-Erling Smorgrav <des@flood.ping.uio.no> Cc: security@FreeBSD.ORG, Markus Friedl <markus.friedl@informatik.uni-erlangen.de> Subject: Re: OpenSSH protocol 1.6 proposal Message-ID: <20000107164031.A9346@folly.informatik.uni-erlangen.de> In-Reply-To: <xzpu2krs40g.fsf@flood.ping.uio.no> References: <Pine.BSF.4.10.10001011324420.756-100000@green.dyndns.org> <xzpu2krs40g.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
1.2.25 et al do not fix the problem, they just make attacks a little bit harder. On Thu, Jan 06, 2000 at 02:50:39PM +0100, Dag-Erling Smorgrav wrote: > Brian Fundakowski Feldman <green@FreeBSD.ORG> writes: > > I've been thinking what the best way to make OpenSSH more secure would be, > > and now it seems to be a change in the protocol. What change? Well, > > SSH version 1.5 and below (all versions so far) have been vulnerable to > > attacks based upon properties of the highly insecure CRC32 hash used. > > Which part of "ssh 1.2.25 fixes the problem" did you not understand? > > From the advisory: > > Fix Information: > ~~~~~~~~~~~~~~~~ > > Upgrade to the upcoming SSH protocol version 2. > > Commercial F-Secure SSH users contact Data Fellows Inc. for > information on how to upgrade to F-Secure 2.0 > > Notice that version 2 of the SSH protocol is not > compatible with the previous version, thus you > will need to upgrade all the SSH clients as well. > > In the meantime, upgrade to version 1.2.25 of SSH, which > fixes the problem. The SSH 1.2.25 distribution can be > obtained from: > > <ftp://ftp.cs.hut.fi/pub/ssh/ssh-1.2.25.tar.gz>; > > F-Secure SSH version 1.3.5 fixes this security problem. > If you are using the commercial Data Fellows SSH package and you > have a support contract, you can obtain the 1.3.5 from your local > retailer. > > Users without a support contract can obtain a patch which fixes > this problem from: > > <http://www.DataFellows.com/f-secure/support/ssh/bug/su134patch.html>. > > A patch for the free SSH 1.2.23 distribution and the complete > SSH 1.2.23 package, with the patch applied, can be obtained at: > > <http://www.core-sdi.com/ssh>; > > Below are the MD5 hashes for the provided files > > MD5 (ssh-1.2.23.patch) = 6bdb63d57f893907191986c5ced557ab > MD5 (ssh-1.2.23-core.tar.Z) = fffb52122aae26c1f212c051a305a310 > MD5 (ssh-1.2.23-core.tar.gz) = f9509ba0f0715637805c6b116adc0869 > > > DES > -- > Dag-Erling Smorgrav - des@flood.ping.uio.no > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000107164031.A9346>