[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Re: SSH Packages

Subject: Re: [cobalt-security] Re: SSH Packages
From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
Date: Fri, 9 Apr 2004 22:43:21 +0200
Organization: SOLARSPEED.NET
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

> I've looked there and various other places, but they seem to be built on
> vulnerable versions.  For example the solarspeed.net one uses
> OpenSSL-0.9.7b, which is affected as described here:
>
> http://www.openssl.org/news/secadv_20040317.txt

Quote: "could lead to a crash or denial of service". Yeah, which is bad, but 
not as bad as what we've seen from prior OpenSSH vulnerabilities which could 
lead to a remote root exploit.

At this moment I'm compiling the new OpenSSH-3.8p1 RPMs on the various 
plattforms. RaQ3 and RaQ4 is done (not yet available for download, so hold 
your breath), RaQ550 is bitching about the dyngroup patch and my XTR runs a 
bit hot with half its fans dead, but it hopefully survives the compile 
procedure. ;o)

These OpenSSH PKGs will be statically compiled against OpenSSL-0.9.7d and 
zlib-1.2.1 as the onboard SSL and Zlib have their own issues. Upgrading these 
onboard libs can have ill side effects, so I'll avoid 'em with the static 
builds. Like the last few times around.

> The advisory was 17 March 2004, but most package sites don't seem to have
> been updated since last year.  Perhaps it's because Sun has EOLed the RAQs?

Well, I didn't learn 'bout the availability of the new OpenSSH-3.8 until two 
weeks ago, probably because it wasn't announced on the usual security lists 
like Bugtraq or Heise.de. And it was released on Feb 24th.

Also, note that OpenSSL and OpenSSH are two different projects. OpenSSH uses 
the OpenSSL library (or parts of it), so vulnerabilities in OpenSSL can have 
an impact on all applications which use it. However, vulnerabilities in 
OpenSSL do not necessarily mean that they directly affect OpenSSH, as the 
vulnerable function(s) might not be used by OpenSSH, or are used in a way 
which doesn't let the problem surface during normal operations. 

All in all, if the problem had been really critical, then the usual hype about 
it on the security lists would have prompted a faster turn around time on 
patches. At least on my end ...

-- 

With best regards,

Michael Stauber

Follow-Ups:
- Re: [cobalt-security] Re: SSH Packages [SCANNED]
  - From: Dave's List Addy

References:
- [cobalt-security] Re: SSH Packages
  - From: Rhys Lewis

Prev by Date: [cobalt-security] Re: SSH Packages
Next by Date: Re: [cobalt-security] Re: SSH Packages [SCANNED]
Previous by thread: [cobalt-security] Re: SSH Packages
Next by thread: Re: [cobalt-security] Re: SSH Packages [SCANNED]

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index