Home

Corrections to "A Rough Year for OpenSSH"

Jan 05, 2002  By Heather Mead
 in
Theo de Raadt sets the record straight on a few points in the OpenSSH fix timeline.

Following the posting of Jose Nazario's article, "A Rough Year for OpenSSH", on the Linux Journal web site on January 2nd, we received an e-mail from Theo de Raadt, the OpenSSH project founder. His purpose in writing was to clarify a couple of errors and misrepresentations in the article.

Regarding the crc32 deattack code, Jose's article states:

Due to the nature of the vulnerability, this issue was addressed immediately by both the SSH developers and the OpenSSH team. Since SSH version 1.2.32 and OpenSSH version 2.3.0, this issue has been fixed. All SSH users should have upgraded as this is being actively exploited.

In actuality, OpenSSH's fix was made available in October 2000, several months before the hole was found. The fix was included in OpenSSH 2.3.0, which shipped right around that time--October 2000, not 2001--and can be seen in the revision information Theo sent:

revision 1.10 date: 2000/10/31 13:18:53; author: markus; state: Exp; lines: +2 -2 branches: 1.10.2; so that large packets do not wrap "n"; from netbsd

Therefore, the article's statement that "this issue was addressed immediately by both the SSH developers and the OpenSSH team" is incorrect--the OpenSSH fix was available months earlier.

Theo also points out another inaccuracy with the above statement; SSH.com took roughly three months to make an official release with the fix.

Heather Mead is Associate Editor of Linux Journal.

email: heather@ssc.com

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Re: Corrections to

jnazario's picture
Submitted by jnazario (not verified) on Sat, 01/05/2002 - 03:00.

thanks for the correction, theo, and thanks for posting it, heather. i should have been a bit more careful there.

Webcast
More Resources
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers

Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.

Learn More

Sponsored by AMD

White Paper
More Resources
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState