No, not all of us knew about this one... An SSH overflow bug? Gee Whiz?! You'd have thought over-flow bugs would have been stamped out LONG ago?! -sigh- This has me a little concerned and I'd appreciate a confirmation of something, please... A while back I recall, though only vaguely, that my site has chosen to run a different (non-RedHat Default) version of SSH due to some quirks regarding differences in the management of public and private keys. The version we ended up with does NOT claim to be OpenSSH, but instead just ssh: SSH Version x.y.z or, when connecting remotely: debug: Remote version: SSH-x.y.z (non-commercial) What I'm asking is, is it correct that because it doesn't say "OpenSSH" that it's not in the affected code line? I'm pretty sure, but when it comes to security, assumptions are a bad idea! Thanks for your response. Richard > > I know you're all probably aware of this by now, but a serious hole is in > > all versions of OpenSSH shipped with all versions of RedHat: > > > > http://online.securityfocus.com/archive/1/278818/2002-06-23/2002-06-29/0 > This was, according to Theo De Raadt, not supposed to come out till after > a patched version is released Friday. This is most certainly > irresponsible! > ...james > > > > Someone needs to beat ISS up a bit, IMHO; this is irresponsible. They are > > releasing these holes just as soon as possible as media stunts for their > > software. > > > > _______________________________________________ > Redhat-devel-list mailing list > Redhat-devel-list@redhat.com > https://listman.redhat.com/mailman/listinfo/redhat-devel-list > _______________________________________________ Redhat-devel-list mailing list Redhat-devel-list@redhat.com https://listman.redhat.com/mailman/listinfo/redhat-devel-list
