RE: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0
From: Jonathan A. Zdziarski (jonathan.zdziarski@micromuse.com)Date: 07/23/01
- Previous message: Daniel Wittenberg: "permission probs with Arkeia"
- In reply to: Jaime BENJUMEA: "Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0"
- Next in thread: Roman Drahtmueller: "Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Jonathan A. Zdziarski" <jonathan.zdziarski@micromuse.com> To: "Jaime BENJUMEA" <benjumea@dte.us.es>, "Stephanie Thomas" <customer.service@ssh.com> Subject: RE: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Date: Mon, 23 Jul 2001 13:12:07 -0400 Message-ID: <COEPIIFFJPONEJNLHKOEIEGDCBAA.jonathan.zdziarski@micromuse.com>
Both 2.3.0 and 2.4.0 don't appear to be vulnerable on my system (Intel
Solaris 8). 3.0.0 *was* vulnerable, however, and I was able to easily
exploit the system.
-----Original Message-----
From: Jaime BENJUMEA [mailto:benjumea@dte.us.es]
Sent: Saturday, July 21, 2001 12:27 PM
To: Stephanie Thomas
Cc: bugtraq@securityfocus.com
Subject: Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0
Stephanie Thomas wrote:
>
> A potential remote root exploit has been discovered
> in SSH Secure Shell 3.0.0, for Unix only, concerning
> accounts with password fields consisting of two or
> fewer characters. Unauthorized users could potentially
> log in to these accounts using any password, including
> an empty password. This affects SSH Secure Shell 3.0.0
> for Unix only. This is a problem with password
Does anybody know if previous versions (2.4) are also affected?
- Previous message: Daniel Wittenberg: "permission probs with Arkeia"
- In reply to: Jaime BENJUMEA: "Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0"
- Next in thread: Roman Drahtmueller: "Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
