Date: Wed, 17 Jan 2001 18:15:30 -0800 From: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET> Subject: FORW: Re: Bug in SSH1 secure-RPC support can expose users' To: BUGTRAQ@SECURITYFOCUS.COM For some reason my Bugtraq post where I asked the below questions was not approved (I guess the patches URL issue had been resolved by moderation time, but the affected versions issue had not -- the advisory only makes reference to 1.2.30). Therefore, I sent the questions to ssh.com directly. Below is the response. ------- Forwarded Message Message-ID: <3A661F71.1553A3AC@ssh.com> Date: Wed, 17 Jan 2001 14:40:49 -0800 From: Stephanie Thomas <steph@ssh.com> Organization: SSH Communications Security Inc. To: Dan Harkless <dan-bugtraq@dilvish.speed.net> Subject: Re: Bug in SSH1 secure-RPC support can expose users' private keys References: <20010116091449.A2299@ssh.com> <200101172045.MAA15310@dilvish.speed.net> Hi Dan, All versions of SSH1, from 1.2.30 back (including 1.2.27), are vulnerable. Sorry about the incorrect url. Here's the correct one: http://www.ssh.com/ssh/patches.html Best Regards, Steph Dan Harkless wrote: > > ssh2-bugs@ssh.com writes: > > There is a bug in SSH-1.2.30 > > So is 1.2.27 not vulnerable? > > > involving Secure RPC. The patch for this is available at > > http://www.ssh.com/patches.html. > > No it isn't. That just gets a 404. > > ---------------------------------------------------------------------- > Dan Harkless | To prevent SPAM contamination, please > dan-bugtraq@dilvish.speed.net | do not mention this private email > SpeedGate Communications, Inc. | address in Usenet posts. Thank you. - -- Stephanie Thomas Technical Support Specialist SSH Communications Security Inc. 1076A E. Meadows Circle Palo Alto, CA 94303 ssh-support@ssh.com Conference NOTE: I will be out January 28, 2001 thru February 3, 2001 for the SANS conference. I will be checking email, but connectivity may be sporadic. When sending email regarding support, please be sure to cc: ssh-support@ssh.com to ensure that your request will be handled during my absence. ------- End of Forwarded Message ---------------------------------------------------------------------- Dan Harkless | To prevent SPAM contamination, please dan-bugtraq@dilvish.speed.net | do not mention this private email SpeedGate Communications, Inc. | address in Usenet posts. Thank you.