From owner-freebsd-questions@FreeBSD.ORG  Tue Aug 17 00:06:29 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A5C8816A4CF
	for <questions@freebsd.org>; Tue, 17 Aug 2004 00:06:29 +0000 (GMT)
Received: from web61302.mail.yahoo.com (web61302.mail.yahoo.com
	[216.155.196.145])
	by mx1.FreeBSD.org (Postfix) with SMTP id 3AC7043D39
	for <questions@freebsd.org>; Tue, 17 Aug 2004 00:06:29 +0000 (GMT)
	(envelope-from stheg_olloydson@yahoo.com)
Message-ID: <20040817000628.46249.qmail@web61302.mail.yahoo.com>
Received: from [67.34.130.149] by web61302.mail.yahoo.com via HTTP;
	Mon, 16 Aug 2004 17:06:28 PDT
Date: Mon, 16 Aug 2004 17:06:28 -0700 (PDT)
From: stheg olloydson <stheg_olloydson@yahoo.com>
To: Jay O'Brien <jayobrien@att.net>
In-Reply-To: <412141E7.60205@att.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
cc: questions@freebsd.org
Subject: Re: [OT] Security hole in PuTTY  (Windows ssh client)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Aug 2004 00:06:29 -0000

it was said:

> I think what you are saying is that if you use PuTTY as a client 
> application that you should be concerned about what server you 
> connect to?  From what you are saying, I suspect that if the only 
> use is to connect to your own (FreeBSD) server, you are probably ok?
> 
> Jay O'Brien

Hello,

To quote from the link:

In SSH2, an attacker impersonating a trusted host can launch an attack
before the client has the ability to determine the difference between
the trusted and fake host. This attack is performed before host key
verification.


Presuming one were connecting over "private" network IP space by IP
address only, then I believe you are correct. I can imagine scenarios
in which if one were to connect over the Internet or even into a
different network segment using DNS that one would be at risk. 
The vendor has a patched the hole and released 0.55, recommending all
users update. If I were using this software, I would take their advice.

Note: Apparently, a "Unix" version exists, and the source code is
available under the MIT Licence. So I guess my post was "completely"
OT.


HTH,

Stheg


		
__________________________________
Do you Yahoo!?
Y! Messenger - Communicate in real time. Download now. 
http://messenger.yahoo.com