Corrections to "A Rough Year for OpenSSH"
Following the posting of Jose Nazario's article, "A Rough Year for OpenSSH", on the Linux Journal web site on January 2nd, we received an e-mail from Theo de Raadt, the OpenSSH project founder. His purpose in writing was to clarify a couple of errors and misrepresentations in the article.
Regarding the crc32 deattack code, Jose's article states:
Due to the nature of the vulnerability, this issue was addressed immediately by both the SSH developers and the OpenSSH team. Since SSH version 1.2.32 and OpenSSH version 2.3.0, this issue has been fixed. All SSH users should have upgraded as this is being actively exploited.
In actuality, OpenSSH's fix was made available in October 2000, several months before the hole was found. The fix was included in OpenSSH 2.3.0, which shipped right around that time--October 2000, not 2001--and can be seen in the revision information Theo sent:
revision 1.10 date: 2000/10/31 13:18:53; author: markus; state: Exp; lines: +2 -2 branches: 1.10.2; so that large packets do not wrap "n"; from netbsd
Therefore, the article's statement that "this issue was addressed immediately by both the SSH developers and the OpenSSH team" is incorrect--the OpenSSH fix was available months earlier.
Theo also points out another inaccuracy with the above statement; SSH.com took roughly three months to make an official release with the fix.
Heather Mead is Associate Editor of Linux Journal.
|HPC Cluster Grant Accepting Applications!||Jan 28, 2015|
|Sharing Admin Privileges for Many Hosts Securely||Jan 28, 2015|
|Red Hat Enterprise Linux 7.1 beta available on IBM Power Platform||Jan 23, 2015|
|Designing with Linux||Jan 22, 2015|
|Wondershaper—QOS in a Pinch||Jan 21, 2015|
|Ideal Backups with zbackup||Jan 19, 2015|
- Sharing Admin Privileges for Many Hosts Securely
- HPC Cluster Grant Accepting Applications!
- Red Hat Enterprise Linux 7.1 beta available on IBM Power Platform
- Internet of Things Blows Away CES, and it May Be Hunting for YOU Next
- Designing with Linux
- Wondershaper—QOS in a Pinch
- Ideal Backups with zbackup
- diff -u: What's New in Kernel Development
- Slow System? iotop Is Your Friend
- Non-Linux FOSS: Animation Made Easy
Editorial Advisory Panel
Thank you to our 2014 Editorial Advisors!
- Jeff Parent
- Brad Baillio
- Nick Baronian
- Steve Case
- Chadalavada Kalyana
- Caleb Cullen
- Keir Davis
- Michael Eager
- Nick Faltys
- Dennis Frey
- Philip Jacob
- Jay Kruizenga
- Steve Marquez
- Dave McAllister
- Craig Oda
- Mike Roberts
- Chris Stark
- Patrick Swartz
- David Lynch
- Alicia Gibb
- Thomas Quinlan
- Carson McDonald
- Kristen Shoemaker
- Charnell Luchich
- James Walker
- Victor Gregorio
- Hari Boukis
- Brian Conner
- David Lane