From owner-freebsd-security  Thu Jan  6  5:50:53 2000
Delivered-To: freebsd-security@freebsd.org
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
	by hub.freebsd.org (Postfix) with ESMTP
	id 40C28157E9; Thu,  6 Jan 2000 05:50:45 -0800 (PST)
	(envelope-from des@flood.ping.uio.no)
Received: (from des@localhost)
	by flood.ping.uio.no (8.9.3/8.9.3) id OAA43226;
	Thu, 6 Jan 2000 14:50:40 +0100 (CET)
	(envelope-from des@flood.ping.uio.no)
To: Brian Fundakowski Feldman <green@FreeBSD.ORG>
Cc: security@FreeBSD.ORG
Subject: Re: OpenSSH protocol 1.6 proposal
References: <Pine.BSF.4.10.10001011324420.756-100000@green.dyndns.org>
From: Dag-Erling Smorgrav <des@flood.ping.uio.no>
Date: 06 Jan 2000 14:50:39 +0100
In-Reply-To: Brian Fundakowski Feldman's message of "Sat, 1 Jan 2000 13:49:22 -0500 (EST)"
Message-ID: <xzpu2krs40g.fsf@flood.ping.uio.no>
Lines: 53
User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Brian Fundakowski Feldman <green@FreeBSD.ORG> writes:
> I've been thinking what the best way to make OpenSSH more secure would be,
> and now it seems to be a change in the protocol.  What change?  Well,
> SSH version 1.5 and below (all versions so far) have been vulnerable to
> attacks based upon properties of the highly insecure CRC32 hash used.

Which part of "ssh 1.2.25 fixes the problem" did you not understand?

From the advisory:

Fix Information:
~~~~~~~~~~~~~~~~

   Upgrade to the upcoming SSH protocol version 2.

   Commercial F-Secure SSH users contact Data Fellows Inc. for
   information on how to upgrade to F-Secure 2.0

   Notice that version 2 of the SSH protocol is not
   compatible with the previous version, thus you
   will need to upgrade all the SSH clients as well.

   In the meantime, upgrade to version 1.2.25 of SSH, which
   fixes the problem. The SSH 1.2.25 distribution can be
   obtained from:

    <ftp://ftp.cs.hut.fi/pub/ssh/ssh-1.2.25.tar.gz>

   F-Secure SSH version 1.3.5 fixes this security problem.
   If you are using the commercial Data Fellows SSH package and you
   have a support contract, you can obtain the 1.3.5 from your local
   retailer.

   Users without a support contract can obtain a patch which fixes
   this problem from:

    <http://www.DataFellows.com/f-secure/support/ssh/bug/su134patch.html>.

   A patch for the free SSH 1.2.23 distribution and the complete
   SSH 1.2.23 package, with the patch applied, can be obtained at:

            <http://www.core-sdi.com/ssh>

  Below  are the MD5 hashes for the provided files

   MD5 (ssh-1.2.23.patch) = 6bdb63d57f893907191986c5ced557ab
   MD5 (ssh-1.2.23-core.tar.Z) = fffb52122aae26c1f212c051a305a310
   MD5 (ssh-1.2.23-core.tar.gz) = f9509ba0f0715637805c6b116adc0869


DES
-- 
Dag-Erling Smorgrav - des@flood.ping.uio.no


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message