OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Dan Harkless (dan-bugtraqDILVISH.SPEED.NET)
Date: Wed Jan 17 2001 - 20:15:30 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    For some reason my Bugtraq post where I asked the below questions was not
    approved (I guess the patches URL issue had been resolved by moderation
    time, but the affected versions issue had not -- the advisory only makes
    reference to 1.2.30).

    Therefore, I sent the questions to ssh.com directly. Below is the response.

    ------- Forwarded Message

    Message-ID: <3A661F71.1553A3ACssh.com>
    Date: Wed, 17 Jan 2001 14:40:49 -0800
    From: Stephanie Thomas <stephssh.com>
    Organization: SSH Communications Security Inc.
    To: Dan Harkless <dan-bugtraqdilvish.speed.net>
    Subject: Re: Bug in SSH1 secure-RPC support can expose users' private keys
    References: <20010116091449.A2299ssh.com> <200101172045.MAA15310dilvish.speed.net>

    Hi Dan,

    All versions of SSH1, from 1.2.30 back (including 1.2.27),
    are vulnerable.

    Sorry about the incorrect url. Here's the correct one:

    http://www.ssh.com/ssh/patches.html

    Best Regards,

    Steph

    Dan Harkless wrote:
    >
    > ssh2-bugsssh.com writes:
    > > There is a bug in SSH-1.2.30
    >
    > So is 1.2.27 not vulnerable?
    >
    > > involving Secure RPC. The patch for this is available at
    > > http://www.ssh.com/patches.html.
    >
    > No it isn't. That just gets a 404.
    >
    > ----------------------------------------------------------------------
    > Dan Harkless | To prevent SPAM contamination, please
    > dan-bugtraqdilvish.speed.net | do not mention this private email
    > SpeedGate Communications, Inc. | address in Usenet posts. Thank you.

    - --
    Stephanie Thomas
    Technical Support Specialist
    SSH Communications Security Inc.
    1076A E. Meadows Circle
    Palo Alto, CA 94303
    ssh-supportssh.com

    Conference NOTE: I will be out January 28, 2001 thru
    February 3, 2001 for the SANS conference. I will be checking
    email, but connectivity may be sporadic. When sending email
    regarding support, please be sure to cc: ssh-supportssh.com
    to ensure that your request will be handled during my absence.

    ------- End of Forwarded Message

    ----------------------------------------------------------------------
    Dan Harkless | To prevent SPAM contamination, please
    dan-bugtraqdilvish.speed.net | do not mention this private email
    SpeedGate Communications, Inc. | address in Usenet posts. Thank you.