Date: 05 Jul 2002 16:11:01 +0200 From: Dag-Erling Smorgrav <des@ofug.org> To: Trevor Johnson <trevor@jpj.net> Cc: Mike Tancsa <mike@sentex.net>, Ruslan Ermilov <ru@FreeBSD.ORG>, <security@FreeBSD.ORG> Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1] Message-ID: <xzpit3utgcq.fsf@flood.ping.uio.no> In-Reply-To: <20020705094314.C73784-100000@blues.jpj.net> References: <20020705094314.C73784-100000@blues.jpj.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Trevor Johnson <trevor@jpj.net> writes: > Use of protocol version 1 makes an insertion attack possible, according to > <URL:http://www.openssh.com/security.html>. That same page also explains that OpenSSH contains code to make such attacks very difficult. > The vulnerability was > published by CORE SDI in June of 1998. I would like to see protocol > version 1 disabled by default, with a note in UPDATING about the change. No. I will not arbitrarily lock users out of their machines. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpit3utgcq.fsf>