[AG-TECH] AG/OpenSSH vulnerability
Robert Olson
olson at mcs.anl.gov
Mon Jan 7 18:50:29 CST 2002
I don't honestly know; the advisory just talks about openssh:
http://www.ciac.org/ciac/techbull/CIACTech02-001.shtml
However, in reading that document I find this:
>Protecting Systems
>
>To protect yourself from this vulnerability, you must not only install
>SSH-2 protocol daemons but you must also disable the drop back to SSH-1
>protocols. Systems that are currently being compromised are neglecting
>this second step!
>
>[...]
>
>
>For OpenSSH, the SSH-1 protocols are part of the SSH-2 daemon and cannot
>be removed from the system. However, they can be disabled by setting the
>following tag in the /etc/ssh/sshd_config file.
>
> Protocol 2
I have built new RPMs that have a patch to set that tag. I am not sure,
however, if the RPM install will overwrite an existing configuration file.
I encourage people to check /etc/ssh/sshd_config to ensure that the line
'Protocol 2' is in place there.
New RPMs:
http://www-unix.mcs.anl.gov/~olson/AG/Software/Linux/openssh-3.0.2p1-2.i386.rpm
http://www-unix.mcs.anl.gov/~olson/AG/Software/Linux/openssh-askpass-3.0.2p1-2.i386.rpm
http://www-unix.mcs.anl.gov/~olson/AG/Software/Linux/openssh-askpass-gnome-3.0.2p1-2.i386.rpm
http://www-unix.mcs.anl.gov/~olson/AG/Software/Linux/openssh-clients-3.0.2p1-2.i386.rpm
http://www-unix.mcs.anl.gov/~olson/AG/Software/Linux/openssh-server-3.0.2p1-2.i386.rpm
--bob
At 04:29 PM 1/7/2002 -0800, Randy Groves wrote:
>Any concern about the OpenSSL 0.9.5a on the same distribution? OpenSSL
>has been 0.9.6b for some time, and I just noticed that this is now 0.9.6c.
More information about the ag-tech
mailing list