[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: openssh 3.1 & www.openbsd.org

To: Alex de Joode <usura@zedz.net>
Subject: Re: openssh 3.1 & www.openbsd.org
From: Dries Schellekens <gwyllion@ace.ulyssis.org>
Date: Fri, 8 Mar 2002 16:04:01 +0100 (CET)
Cc: <misc@openbsd.org>

On Fri, 8 Mar 2002, Alex de Joode wrote:

> 1) why didn't the anouncement of OpenSSH 3.1 contain at least
>    an advisory to upgrade as there was a hole in the previous
>    versions. people reading the anouncement would not think
>    "hey I *need* to upgrade".

You can patch your OpenSSH 3.0.2, or even older versions. You don't *need*
to upgrade to 3.1.

> 2) given the openssh hole, it might be needed to change the
>    OpenBSD website:
>
>    "Four days without a remote hole in the default install!"
>
>    or do the OpenBSD developers deem the hole not remote enough ?

Has it been proven that the bug in OpenSSH is remote exploitable? Where is
proof of concept code?

Cheers,

Dries
-- 
Dries Schellekens
email: gwyllion@ulyssis.org

Follow-Ups:
- Re: openssh 3.1 & www.openbsd.org
  - From: Rich Burroughs <rich@hostbaby.com>

References:
- openssh 3.1 & www.openbsd.org
  - From: Alex de Joode <usura@zedz.net>

Prev by Date: Re: openssh 3.1 & www.openbsd.org
Next by Date: Re: make release fails: ${DESTDIR}/etc/ssh/ssh_config: No such file or directory
Prev by thread: Re: openssh 3.1 & www.openbsd.org
Next by thread: Re: openssh 3.1 & www.openbsd.org
Index(es):
- Date
- Thread