Remote exploits in OpenSSH's sshd 1.2.33?

09/11/2006, 11h23

Are there any known remote exploits in OpenSSH's sshd 1.2.33? (yes, it's
a very *old* version)

In general: Where do I find a list of remote exploits in OpenSSH?

--
Felix E. Klee

09/11/2006, 20h20

On 2006-11-09, Felix E. Klee <fk@liburg.de> wrote:

> Are there any known remote exploits in OpenSSH's sshd 1.2.33? (yes, it's
> a very *old* version)
>
> In general: Where do I find a list of remote exploits in OpenSSH?

You deduce it from the series of security announcements and source
changes leading from the version of interest to the present day -
just like you would for most other s/w.

Or you buy enough drinks at a CCC meeting.

--
Elvis Notargiacomo master AT barefaced DOT cheek
http://www.notatla.org.uk/goen/

10/11/2006, 08h12

"Felix E. Klee" <fk@liburg.de> writes:

> Are there any known remote exploits in OpenSSH's sshd 1.2.33? (yes, it's
> a very *old* version)
>
> In general: Where do I find a list of remote exploits in OpenSSH?

Gotta do some sifting, but
http://www.securityfocus.com/vulnerabilities

will get you vulnerabilities that are applicable to a given version.

Select openssh as the vendor , openssh as the title, 1.2.3 as version
and you get

OpenSSH Challenge-Response Buffer Overflow Vulnerabilities
2002-06-24
http://www.securityfocus.com/bid/5093

SSH CRC-32 Compensation Attack Detector Vulnerability
2001-02-08
http://www.securityfocus.com/bid/2347

PKCS #1 Version 1.5 Session Key Retrieval Vulnerability
2001-02-06
http://www.securityfocus.com/bid/2344

--
Todd H.
http://www.toddh.net/

10/11/2006, 12h14

On Fri, 10 Nov 2006 02:12:48 -0600, Todd H. wrote:
> http://www.securityfocus.com/vulnerabilities

Thanks for the link! Now we have to investigate whether the software in
question is really affected.

--
Felix E. Klee

09/11/2006, 11h23	#1 (permalink)
Felix E. Klee Messages: n/a Hébergeur:	Remote exploits in OpenSSH's sshd 1.2.33? Are there any known remote exploits in OpenSSH's sshd 1.2.33? (yes, it's a very old version) In general: Where do I find a list of remote exploits in OpenSSH? -- Felix E. Klee

09/11/2006, 20h20	#2 (permalink)
all mail refused Messages: n/a Hébergeur:	Re: Remote exploits in OpenSSH's sshd 1.2.33? On 2006-11-09, Felix E. Klee <fk@liburg.de> wrote: > Are there any known remote exploits in OpenSSH's sshd 1.2.33? (yes, it's > a very old version) > > In general: Where do I find a list of remote exploits in OpenSSH? You deduce it from the series of security announcements and source changes leading from the version of interest to the present day - just like you would for most other s/w. Or you buy enough drinks at a CCC meeting. -- Elvis Notargiacomo master AT barefaced DOT cheek http://www.notatla.org.uk/goen/

10/11/2006, 08h12	#3 (permalink)
Todd H. Messages: n/a Hébergeur:	Re: Remote exploits in OpenSSH's sshd 1.2.33? "Felix E. Klee" <fk@liburg.de> writes: > Are there any known remote exploits in OpenSSH's sshd 1.2.33? (yes, it's > a very old version) > > In general: Where do I find a list of remote exploits in OpenSSH? Gotta do some sifting, but http://www.securityfocus.com/vulnerabilities will get you vulnerabilities that are applicable to a given version. Select openssh as the vendor , openssh as the title, 1.2.3 as version and you get OpenSSH Challenge-Response Buffer Overflow Vulnerabilities 2002-06-24 http://www.securityfocus.com/bid/5093 SSH CRC-32 Compensation Attack Detector Vulnerability 2001-02-08 http://www.securityfocus.com/bid/2347 PKCS #1 Version 1.5 Session Key Retrieval Vulnerability 2001-02-06 http://www.securityfocus.com/bid/2344 -- Todd H. http://www.toddh.net/

10/11/2006, 12h14	#4 (permalink)
Felix E. Klee Messages: n/a Hébergeur:	Re: Remote exploits in OpenSSH's sshd 1.2.33? On Fri, 10 Nov 2006 02:12:48 -0600, Todd H. wrote: > http://www.securityfocus.com/vulnerabilities Thanks for the link! Now we have to investigate whether the software in question is really affected. -- Felix E. Klee

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email