From owner-freebsd-security  Fri Jan  7  7:40:43 2000
Delivered-To: freebsd-security@freebsd.org
Received: from folly.informatik.uni-erlangen.de (nbgdi3-145-253-131-129.arcor-ip.net [145.253.131.129])
	by hub.freebsd.org (Postfix) with ESMTP id 2A4E615057
	for <security@FreeBSD.ORG>; Fri,  7 Jan 2000 07:40:38 -0800 (PST)
	(envelope-from markus.friedl@informatik.uni-erlangen.de)
Received: by folly.informatik.uni-erlangen.de (Postfix, from userid 31451)
	id 85687B7F; Fri,  7 Jan 2000 16:40:31 +0100 (CET)
Date: Fri, 7 Jan 2000 16:40:31 +0100
From: Markus Friedl <markus.friedl@informatik.uni-erlangen.de>
To: Dag-Erling Smorgrav <des@flood.ping.uio.no>
Cc: security@FreeBSD.ORG,
	Markus Friedl <markus.friedl@informatik.uni-erlangen.de>
Subject: Re: OpenSSH protocol 1.6 proposal
Message-ID: <20000107164031.A9346@folly.informatik.uni-erlangen.de>
References: <Pine.BSF.4.10.10001011324420.756-100000@green.dyndns.org> <xzpu2krs40g.fsf@flood.ping.uio.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.7i
In-Reply-To: <xzpu2krs40g.fsf@flood.ping.uio.no>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

1.2.25 et al do not fix the problem, they just make
attacks a little bit harder.

On Thu, Jan 06, 2000 at 02:50:39PM +0100, Dag-Erling Smorgrav wrote:
> Brian Fundakowski Feldman <green@FreeBSD.ORG> writes:
> > I've been thinking what the best way to make OpenSSH more secure would be,
> > and now it seems to be a change in the protocol.  What change?  Well,
> > SSH version 1.5 and below (all versions so far) have been vulnerable to
> > attacks based upon properties of the highly insecure CRC32 hash used.
> 
> Which part of "ssh 1.2.25 fixes the problem" did you not understand?
> 
> From the advisory:
> 
> Fix Information:
> ~~~~~~~~~~~~~~~~
> 
>    Upgrade to the upcoming SSH protocol version 2.
> 
>    Commercial F-Secure SSH users contact Data Fellows Inc. for
>    information on how to upgrade to F-Secure 2.0
> 
>    Notice that version 2 of the SSH protocol is not
>    compatible with the previous version, thus you
>    will need to upgrade all the SSH clients as well.
> 
>    In the meantime, upgrade to version 1.2.25 of SSH, which
>    fixes the problem. The SSH 1.2.25 distribution can be
>    obtained from:
> 
>     <ftp://ftp.cs.hut.fi/pub/ssh/ssh-1.2.25.tar.gz>
> 
>    F-Secure SSH version 1.3.5 fixes this security problem.
>    If you are using the commercial Data Fellows SSH package and you
>    have a support contract, you can obtain the 1.3.5 from your local
>    retailer.
> 
>    Users without a support contract can obtain a patch which fixes
>    this problem from:
> 
>     <http://www.DataFellows.com/f-secure/support/ssh/bug/su134patch.html>.
> 
>    A patch for the free SSH 1.2.23 distribution and the complete
>    SSH 1.2.23 package, with the patch applied, can be obtained at:
> 
>             <http://www.core-sdi.com/ssh>
> 
>   Below  are the MD5 hashes for the provided files
> 
>    MD5 (ssh-1.2.23.patch) = 6bdb63d57f893907191986c5ced557ab
>    MD5 (ssh-1.2.23-core.tar.Z) = fffb52122aae26c1f212c051a305a310
>    MD5 (ssh-1.2.23-core.tar.gz) = f9509ba0f0715637805c6b116adc0869
> 
> 
> DES
> --
> Dag-Erling Smorgrav - des@flood.ping.uio.no
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message