Home page logo
/

bugtraq logo Bugtraq mailing list archives

FORW: Re: Bug in SSH1 secure-RPC support can expose users' private keys
From: Dan Harkless <dan-bugtraq () DILVISH SPEED NET>
Date: Wed, 17 Jan 2001 18:15:30 -0800

For some reason my Bugtraq post where I asked the below questions was not
approved (I guess the patches URL issue had been resolved by moderation
time, but the affected versions issue had not -- the advisory only makes
reference to 1.2.30).

Therefore, I sent the questions to ssh.com directly.  Below is the response.


------- Forwarded Message

Message-ID: <3A661F71.1553A3AC () ssh com>
Date: Wed, 17 Jan 2001 14:40:49 -0800
From: Stephanie Thomas <steph () ssh com>
Organization: SSH Communications Security Inc.
To: Dan Harkless <dan-bugtraq () dilvish speed net>
Subject: Re: Bug in SSH1 secure-RPC support can expose users' private keys
References: <20010116091449.A2299 () ssh com> <200101172045.MAA15310 () dilvish speed net>

Hi Dan,

All versions of SSH1, from 1.2.30 back (including 1.2.27),
are vulnerable.

Sorry about the incorrect url.  Here's the correct one:

http://www.ssh.com/ssh/patches.html

Best Regards,

Steph

Dan Harkless wrote:

ssh2-bugs () ssh com writes:
There is a bug in SSH-1.2.30

So is 1.2.27 not vulnerable?

involving Secure RPC. The patch for this is available at
http://www.ssh.com/patches.html.

No it isn't.  That just gets a 404.

----------------------------------------------------------------------
Dan Harkless                   | To prevent SPAM contamination, please
dan-bugtraq () dilvish speed net  | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts.  Thank you.

- --
Stephanie Thomas
Technical Support Specialist
SSH Communications Security Inc.
1076A E. Meadows Circle
Palo Alto, CA 94303
ssh-support () ssh com

Conference NOTE:  I will be out January 28, 2001 thru
February 3, 2001 for the SANS conference. I will be checking
email, but connectivity may be sporadic. When sending email
regarding support, please be sure to cc: ssh-support () ssh com
to ensure that your request will be handled during my absence.

------- End of Forwarded Message


----------------------------------------------------------------------
Dan Harkless                   | To prevent SPAM contamination, please
dan-bugtraq () dilvish speed net  | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts.  Thank you.


  By Date           By Thread  

Current thread:
  • FORW: Re: Bug in SSH1 secure-RPC support can expose users' private keys Dan Harkless (Jan 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]