Corrections to "A Rough Year for OpenSSH"
Following the posting of Jose Nazario's article, "A Rough Year for OpenSSH", on the Linux Journal web site on January 2nd, we received an e-mail from Theo de Raadt, the OpenSSH project founder. His purpose in writing was to clarify a couple of errors and misrepresentations in the article.
Regarding the crc32 deattack code, Jose's article states:
Due to the nature of the vulnerability, this issue was addressed immediately by both the SSH developers and the OpenSSH team. Since SSH version 1.2.32 and OpenSSH version 2.3.0, this issue has been fixed. All SSH users should have upgraded as this is being actively exploited.
In actuality, OpenSSH's fix was made available in October 2000, several months before the hole was found. The fix was included in OpenSSH 2.3.0, which shipped right around that time--October 2000, not 2001--and can be seen in the revision information Theo sent:
revision 1.10 date: 2000/10/31 13:18:53; author: markus; state: Exp; lines: +2 -2 branches: 1.10.2; so that large packets do not wrap "n"; from netbsd
Therefore, the article's statement that "this issue was addressed immediately by both the SSH developers and the OpenSSH team" is incorrect--the OpenSSH fix was available months earlier.
Theo also points out another inaccuracy with the above statement; SSH.com took roughly three months to make an official release with the fix.
Heather Mead is Associate Editor of Linux Journal.
- Readers' Choice Awards 2013
- Linux Kernel News - November 2013
- December 2013 Issue of Linux Journal: Readers' Choice
- Mars Needs Women
- Sublime Text: One Editor to Rule Them All?
- Raspberry Pi: the Perfect Home Server
- RSS Feeds
- Advanced Hard Drive Caching Techniques
- Web Administration Scripts
- New Products
- thanks for share, great
10 hours 49 min ago
- There are factors which are
15 hours 49 min ago
- Gnome 3 ?
16 hours 34 min ago
- Reply to comment | Linux Journal
20 hours 41 min ago
- "Redis RethinkDB 4.5%" on Best NoSQL Databases
1 day 6 hours ago
- on the ground
1 day 13 hours ago
- I was able to read the whole
1 day 14 hours ago
- since i have read the title i
1 day 17 hours ago
- Belanja Online Cari Voucher Diskon
1 day 18 hours ago
- The kernel doesn't really
2 days 6 hours ago