"Sun SSH" vulnerable to OpenSSH 2.9.9-3.3 exploit ?

From: Jan-Philip Velders (jpv@jpv.xs4all.nl)
Date: 06/26/02 

Date: Wed, 26 Jun 2002 20:48:18 +0200 (CEST)
From: Jan-Philip Velders <jpv@jpv.xs4all.nl>
To: focus-sun@securityfocus.com

Hi,

Solaris 9 ships with "Sun SSH" 1.0 (OpenSSH based from what I can
tell). But unfortunately I'm unable to see which version of OpenSSH
it's based on. From the inclusion of sftp, I'd gather 2.5 or higher.

With the recent SSHv2 frenzy about privsep (Privilege Seperation,
running a big chunk of code somewhat chrooted) not being susceptable
to the remote root exploit for the ChallengeResponse-bug, I was
wondering if other people have more information on this.

I feel more at risk running SUN SSH, then OpenSSH, because I'm unable
to relate which problems there might be with SUN SSH depending on the
OpenSSH codebase used for it... (though having an SSH doing all the
limit-stuff etc. is also very nice ;) )

Kind Regards,
JP Velders

Relevant Pages

  • SUMMARY: Sun SSH vs OpenSSH
    ... Whenever the alert ... understanding is that Sun SSH is based upon a version of OpenSSH. ... security issues with the ssh protocol, use OpenSSH and not Sun SSH? ... Any vulnerability in OpenSSH is evaluated by Sun, ...
    (SunManagers)
  • Re: SSH on Solaris
    ... >this that Sun's SSH package wasn't vulnerable to this latest OpenSSH ... S/he's got access to the source code for Sun SSH? ... It's a pity that OpenSSH isn't GPL'd, as then Sun would have to ...
    (comp.unix.solaris)
  • Sun SSH vs OpenSSH
    ... I have a question about Sun SSH vs OpenSSH. ... When vulnerabilities are ... Whenever the alert ...
    (SunManagers)
  • Re: ssh compatability issues
    ... > 1) A home computer, running the OpenSSH server that comes with Solaris ... What comes with Solaris 9 is NOT OpenSSH, it's Sun SSH, which although ...
    (comp.security.ssh)
  • Re: Does OpenSSH use RCP?
    ... > with someone about the difference between OpenSSH and SFTP. ... > SFTP) than SCP will fail. ... OpenSSH uses an implementation that is compatible to the original SSH ...
    (comp.security.unix)