[AG-TECH] AG/OpenSSH vulnerability

Robert Olson olson at mcs.anl.gov
Mon Jan 7 18:50:29 CST 2002

I don't honestly know; the advisory just talks about openssh:


However, in reading that document I find this:

>Protecting Systems
>To protect yourself from this vulnerability, you must not only install 
>SSH-2 protocol daemons but you must also disable the drop back to SSH-1 
>protocols. Systems that are currently being compromised are neglecting 
>this second step!
>For OpenSSH, the SSH-1 protocols are part of the SSH-2 daemon and cannot 
>be removed from the system. However, they can be disabled by setting the 
>following tag in the /etc/ssh/sshd_config file.
>   Protocol 2

I have built new RPMs that have a patch to set that tag. I am not sure, 
however, if the RPM install will overwrite an existing configuration file. 
I encourage people to check /etc/ssh/sshd_config to ensure that the line 
'Protocol 2' is in place there.

New RPMs:



At 04:29 PM 1/7/2002 -0800, Randy Groves wrote:
>Any concern about the OpenSSL 0.9.5a on the same distribution?  OpenSSL 
>has been 0.9.6b for some time, and I just noticed that this is now 0.9.6c.

More information about the ag-tech mailing list