tech-security: Re: How to update to the latest OpenSSH?

Subject: Re: How to update to the latest OpenSSH?
To: Jan Schaumann <jschauma@netmeister.org>
From: Markus Friedl <markus@openssh.com>
List: tech-security
Date: 12/06/2001 11:48:50

> > sshd version OpenSSH_2.5.1 NetBSD_Secure_Shell-20010219
> 
> I was under the impression the exploit affects OpenSSH <= 2.3.0 ?

No, the crc32 remote exploits affect OpenSSH < 2.3.0.

OpenSSH 2.3.0 from November 2000 is not affected.

The all recently found problems in OpenSSH are local, the default
installations should not be affected.

I don't think the UseLogin problem is a reason to panic, unless you
really need UseLogin (how many do? and UseLogin only works for 'slogin'
style logins, not for remote command execution).

-m