Contributed by jose on from the unbreakable? dept.
" Rapid7 has discovered a new class of vulnerabilities affecting SSH2 implementations from many vendors. These vulnerabilities affect a wide variety of SSH servers and SSH clients, including F-Secure, SSH Inc., PuTTY, etc. OpenSSH is not affected.Good to see that the careful design of OpenSSH can withstand the brutality of the shredder. CERT has released CA-2002-36 on the issue.To test the security and robustness of a wide variety of SSH implementations, designed an SSH protocol test suite called SSHredder . The SSHredder test suite contains a large number of SSH2 protocol test cases and has been released under a BSD license. These test cases were systematically crafted to expose a wide range of vulnerabilities in SSH implementations. Rapid7's testing has revealed many defects ranging from simple buffer overflows to subtle string-handling errors."
(Comments are closed)
By El Volio () kylem@xwell.org on http://xwell.org
Comments
By David Krause () on http://www.rapid7.com/advisories/R7-0009.txt
o F-Secure Corp. SSH servers and clients for UNIX
v3.1.0 (build 11) and earlier
o F-Secure Corp. SSH for Windows
v5.2 and earlier
o SSH Communications Security, Inc. SSH for Windows
v3.2.2 and earlier
o SSH Communications Security, Inc. SSH for UNIX
v3.2.2 and earlier
o FiSSH SSH client for Windows
v1.0A and earlier
o InterSoft Int'l, Inc. SecureNetTerm client for Windows
v5.4.1 and earlier
o NetComposite ShellGuard SSH client for Windows
v3.4.6 and earlier
o Pragma Systems, Inc. SecureShell SSH server for Windows
v2 and earlier
o PuTTY SSH client for Windows
v0.53 and earlier (v0.53b not affected)
o WinSCP SCP client for Windows
v2.0.0 and earlier
By RC () on
So, OpenSSH was more secure than SSH even before priv sep was introduced, and I imagine OpenSSH's lead is only getting better.
Comments
By Anonymous Coward () on
Comments
By smellyfart () on
I have heard rumors as well.
Although I am not good authority, and in fact have no clue about anything. Just some dood on IRC told me that they have exploits and stuffs like that.
so yah, werd up
Comments
By W () on
Comments
By W () on
Comments
By Anonymous Coward () on
Comments
By W () on
By RC () on
> authority? How can we *not* believe you!
Well, I am not a troll, and you can search through previous posts of mine to see that I do not have a habbit of trolling nor of spreading false information.
However, I do NOT have first-hand knowledge that the exploit(s) do(es) exist, so, yes, you should take this with a grain of salt.
By couderc () on
At least, even if it was lying he takes on.
By Anonymous Coward () on
Version: GnuPG v1.0.7 (OpenBSD)
Comments
By W () on
By Anonymous Coward () on
Comments
By Anonymous Coward () on