-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 What about 2.9? - -----Original Message----- From: Thomas Roessler [mailto:roessler@does-not-exist.org] Sent: Monday, July 23, 2001 11:42 AM To: Florian Weimer Cc: BUGTRAQat_private; customer.serviceat_private Subject: Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 On 2001-07-22 10:03:31 +0200, Florian Weimer wrote: >A quick glance at the source code suggests that SSH 2.3.0 and >2.4.0 have the same problem. Is this true? I suppose we are talking about this section of ssh 2.4.0's sshunixuser.c: 940 941 /* Authentication is accepted if the encrypted passwords are identical. */ 942 #ifdef HAVE_HPUX_TCB_AUTH 943 return strncmp(encrypted_password, correct_passwd, 944 strlen(correct_passwd)) == 0; 945 #else /* HAVE_HPUX_TCB_AUTH */ 946 return strcmp(encrypted_password, correct_passwd) == 0; 947 #endif /* HAVE_HPUX_TCB_AUTH */ If I read this correctly, it's certainly not a problem unless ssh is compiled with HAVE_HPUX_TCB_AUTH defined. In that case, it may or may not be a problem. - -- Thomas Roessler http://log.does-not-exist.org/ -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO1x4RXuovSIevPCzEQJgrACg7nG4kHVms/VV/fjKZPcT9OV0JRIAn2pG Aqs6zdkLUaAYXceFoA3ydrLI =8e4m -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 11:46:46 PDT