> There appears to be a serious vulnerability in ssh 1.2.27. I will let the > folks who worked on this issue describe. There was brief discussion on > vuln-dev on the politics of ssh 1 vs. ssh 2, etc... you may or may not > want to play that out on Bugtraq. One of the key points of the SSH 1 vs. > SSH 2 debate is regarding licensing. Basically, because of a less strict > license on SSH 1, more folks are likely to be running that version. (This > is all referring to the Datafellows implementation that everyone uses, > rather than standards and protocols, I presume.) The upcoming OpenBSD 2.6 release contains/includes an ssh implimentation which is derived from an earlier ssh 1 (and thus has no Datafellows licencing issues). We are calling this ssh by the name "OpenSSH". Anyways, in the process of rewriting parts of ssh, the OpenSSH developers accidentally fixed this bug. Whoops! :-) So when the OpenBSD 2.6 release finally comes out (about 10 days from now?), I hope that this pre-announcement will stop us from being flooded with questions about this particular problem.....
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:12:14 PDT