[AG-TECH] AG/OpenSSH vulnerability

Randy Groves randy.groves at boeing.com
Mon Jan 7 18:29:42 CST 2002

Any concern about the OpenSSL 0.9.5a on the same distribution?  OpenSSL has 
been 0.9.6b for some time, and I just noticed that this is now 0.9.6c.


At 05:47 PM 1/7/2002 -0600, Robert Olson wrote:
>There was an incident at at an AG site over the break where an AG linux 
>machine was broken into. The intruder apparently used the CRC32 attack 
>compensator buffer overflow exploit in the verison of the OpenSSH server 
>that was shipped with the AG toolkit.
>There are several things you can do to protect yourself from similar attacks.
>First, you can disable incoming ssh entirely:
>         /sbin/service sshd stop
>         /sbin/chkconfig sshd off
>Normal operation of the AG node does not require incoming ssh to be 
>running on the linux boxes.
>There are patched versions of the ssh server available; however, I don't 
>have pointers to them offhand (and I want to get this message out). ssh's 
>home is at openssh.org, and there are links there to both source packages 
>and Linux RPMs. I am looking into building RH6.2-compatible RPMs for the 
>latest ssh; stay tuned.

More information about the ag-tech mailing list