Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

FORW: Re: Bug in SSH1 secure-RPC support can expose users' private keys

From: Dan Harkless <dan-bugtraq () DILVISH SPEED NET>
Date: Wed, 17 Jan 2001 18:15:30 -0800
For some reason my Bugtraq post where I asked the below questions was not
approved (I guess the patches URL issue had been resolved by moderation
time, but the affected versions issue had not -- the advisory only makes
reference to 1.2.30).

Therefore, I sent the questions to ssh.com directly.  Below is the response.


------- Forwarded Message

Message-ID: <3A661F71.1553A3AC () ssh com>
Date: Wed, 17 Jan 2001 14:40:49 -0800
From: Stephanie Thomas <steph () ssh com>
Organization: SSH Communications Security Inc.
To: Dan Harkless <dan-bugtraq () dilvish speed net>
Subject: Re: Bug in SSH1 secure-RPC support can expose users' private keys
References: <20010116091449.A2299 () ssh com> <200101172045.MAA15310 () dilvish speed net>

Hi Dan,

All versions of SSH1, from 1.2.30 back (including 1.2.27),
are vulnerable.

Sorry about the incorrect url.  Here's the correct one:

http://www.ssh.com/ssh/patches.html

Best Regards,

Steph

Dan Harkless wrote:


ssh2-bugs () ssh com writes:

There is a bug in SSH-1.2.30


So is 1.2.27 not vulnerable?


involving Secure RPC. The patch for this is available at
http://www.ssh.com/patches.html.


No it isn't.  That just gets a 404.

----------------------------------------------------------------------
Dan Harkless                   | To prevent SPAM contamination, please
dan-bugtraq () dilvish speed net  | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts.  Thank you.


- --
Stephanie Thomas
Technical Support Specialist
SSH Communications Security Inc.
1076A E. Meadows Circle
Palo Alto, CA 94303
ssh-support () ssh com

Conference NOTE:  I will be out January 28, 2001 thru
February 3, 2001 for the SANS conference. I will be checking
email, but connectivity may be sporadic. When sending email
regarding support, please be sure to cc: ssh-support () ssh com
to ensure that your request will be handled during my absence.

------- End of Forwarded Message


----------------------------------------------------------------------
Dan Harkless                   | To prevent SPAM contamination, please
dan-bugtraq () dilvish speed net  | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts.  Thank you.
Previous By Date Next
Previous By Thread Next

Current thread: