[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Re: SSH Packages
- Subject: Re: [cobalt-security] Re: SSH Packages
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Fri, 9 Apr 2004 22:43:21 +0200
- Organization: SOLARSPEED.NET
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> I've looked there and various other places, but they seem to be built on
> vulnerable versions. For example the solarspeed.net one uses
> OpenSSL-0.9.7b, which is affected as described here:
>
> http://www.openssl.org/news/secadv_20040317.txt
Quote: "could lead to a crash or denial of service". Yeah, which is bad, but
not as bad as what we've seen from prior OpenSSH vulnerabilities which could
lead to a remote root exploit.
At this moment I'm compiling the new OpenSSH-3.8p1 RPMs on the various
plattforms. RaQ3 and RaQ4 is done (not yet available for download, so hold
your breath), RaQ550 is bitching about the dyngroup patch and my XTR runs a
bit hot with half its fans dead, but it hopefully survives the compile
procedure. ;o)
These OpenSSH PKGs will be statically compiled against OpenSSL-0.9.7d and
zlib-1.2.1 as the onboard SSL and Zlib have their own issues. Upgrading these
onboard libs can have ill side effects, so I'll avoid 'em with the static
builds. Like the last few times around.
> The advisory was 17 March 2004, but most package sites don't seem to have
> been updated since last year. Perhaps it's because Sun has EOLed the RAQs?
Well, I didn't learn 'bout the availability of the new OpenSSH-3.8 until two
weeks ago, probably because it wasn't announced on the usual security lists
like Bugtraq or Heise.de. And it was released on Feb 24th.
Also, note that OpenSSL and OpenSSH are two different projects. OpenSSH uses
the OpenSSL library (or parts of it), so vulnerabilities in OpenSSL can have
an impact on all applications which use it. However, vulnerabilities in
OpenSSL do not necessarily mean that they directly affect OpenSSH, as the
vulnerable function(s) might not be used by OpenSSH, or are used in a way
which doesn't let the problem surface during normal operations.
All in all, if the problem had been really critical, then the usual hype about
it on the security lists would have prompted a faster turn around time on
patches. At least on my end ...
--
With best regards,
Michael Stauber