[AG-TECH] AG/OpenSSH vulnerability
olson at mcs.anl.gov
Mon Jan 7 18:50:29 CST 2002
I don't honestly know; the advisory just talks about openssh:
However, in reading that document I find this:
>To protect yourself from this vulnerability, you must not only install
>SSH-2 protocol daemons but you must also disable the drop back to SSH-1
>protocols. Systems that are currently being compromised are neglecting
>this second step!
>For OpenSSH, the SSH-1 protocols are part of the SSH-2 daemon and cannot
>be removed from the system. However, they can be disabled by setting the
>following tag in the /etc/ssh/sshd_config file.
> Protocol 2
I have built new RPMs that have a patch to set that tag. I am not sure,
however, if the RPM install will overwrite an existing configuration file.
I encourage people to check /etc/ssh/sshd_config to ensure that the line
'Protocol 2' is in place there.
At 04:29 PM 1/7/2002 -0800, Randy Groves wrote:
>Any concern about the OpenSSL 0.9.5a on the same distribution? OpenSSL
>has been 0.9.6b for some time, and I just noticed that this is now 0.9.6c.
More information about the ag-tech