RE: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0

From: Stephanie Thomas (customer.service@ssh.com)
Date: 07/24/01


From: "Stephanie Thomas" <customer.service@ssh.com>
To: "Roman Drahtmueller" <draht@suse.de>, <bugtraq@securityfocus.com>, <security@suse.de>
Subject: RE: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0
Date: Mon, 23 Jul 2001 16:04:00 -0700
Message-ID: <FNEKKFMHLBAMAHPEHBLMMEAHCAAA.customer.service@ssh.com>

Hi Roman and Others,

Thanks for the feedback.

SSH Secure Shell 3.0.0 does not ship with any
of the operating systems mentioned, nor does the
announcement specify that it does. However, if a
user has explicitly installed SSH Secure Shell 3.0.0
on any of the listed operating systems, they are
vulnerable to this potential exploit.

Please understand that we receive many support requests
from administrators using either the commercial or
non-commercial versions of SSH Secure Shell on SuSe, Redhat,
Caldera, and other Linux versions - even though SSH Secure
Shell is not bundled these operating systems. Because
of this, we wish to ensure that those users are aware that
this issue does affect them, and what they can do to
protect themselves.

We have listed those operating systems which we know
are vulnerable _with SSH Secure Shell 3.0.0 installed_.

My apologies if this was not clear in the original
announcement.

Best Regards,

Steph

-----Original Message-----
From: Roman Drahtmueller [mailto:draht@suse.de]
Sent: Monday, July 23, 2001 9:03 AM
To: Stephanie Thomas; bugtraq@securityfocus.com; security@suse.de
Subject: Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0

> From: Stephanie Thomas <customer.service@ssh.com>
> To: bugtraq@securityfocus.com
> Date: Fri, 20 Jul 2001 17:34:02 -0700
> Subject: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0
[...]
> PLATFORMS IMPACTED:
>
> Red Hat Linux 6.1 thru 7.1
> Solaris 2.6 thru 2.8
> HP-UX 10.20
> HP-UX 11.00
> Caldera Linux 2.4
> Suse Linux 6.4 thru 7.0

Numerous requests force an additional statement.

The ssh versions 3.* are not shipped with SuSE Linux, all versions of the
distribution.

Thanks to Frank Denis for pointing this out on bugtraq.

Since most of the mentioned systems are older than ssh-3.*, it seems
logical that these systems can't be affected by default. It should have
been mentioned that the platforms mentioned above are vulnerable if the
said version of ssh has been installed on them.
I wish for more precision in future security announcements from ssh.com.

Roman Drahtmüller,
SuSE Security.

--
 -                                                                      -
| Roman Drahtmüller      <draht@suse.de> //          "Caution: Cape does |
  SuSE GmbH - Security           Phone: //       not enable user to fly."
| Nürnberg, Germany     +49-911-740530 // (Batman Costume warning label) |
 -                                                                      -