Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0

From: Florian Weimer (Florian.Weimerat_private-Stuttgart.DE)
Date: Sun Jul 22 2001 - 01:03:31 PDT

Next message: Patrik Karlsson: "iXsecurity.20010618.policy_director.a"

Previous message: Anil Madhavapeddy: "Re: IMP 2.2.6 (SECURITY) released"
In reply to: Stephanie Thomas: "URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0"
Next in thread: Thomas Roessler: "Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0"
Reply: Thomas Roessler: "Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Stephanie Thomas" <customer.serviceat_private> writes:

> A potential remote root exploit has been discovered 
> in SSH Secure Shell 3.0.0, for Unix only, concerning 
> accounts with password fields consisting of two or 
> fewer characters.

A quick glance at the source code suggests that SSH 2.3.0 and 2.4.0
have the same problem.  Is this true?

> Use the following patch in the source code:

It is not quite clear whether the license agreement permits
modification of the source code.

-- 
Florian Weimer 	                  Florian.Weimerat_private-Stuttgart.DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

Next message: Patrik Karlsson: "iXsecurity.20010618.policy_director.a"
Previous message: Anil Madhavapeddy: "Re: IMP 2.2.6 (SECURITY) released"
In reply to: Stephanie Thomas: "URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0"
Next in thread: Thomas Roessler: "Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0"
Reply: Thomas Roessler: "Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 08:14:17 PDT