| View previous topic :: View next topic |
| Author |
Message |
orzetto
Apprentice
Joined: 05 Mar 2003
Posts: 165
Location: Magdeburg, Germany
|
 Posted: Wed Sep 17, 2003 8:26 am Post subject: My system admins & ssh bug |
 |
|
Hi all,
I heard yesterday of the ssh bug on Slashdot, and I immediately shut down the sshd running on my office machine. I upgraded this morning and everything is fine with me.
However, I told the sysadmins of my university's network (they run RedHat), and later, out of curiosity, I logged in the network and ran:
| Code: | ******@login4:~>ssh -V
OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
|
They are still running 3.1! I wonder, is the vulnerability something new that does not apply to 3.1 (doubt it), or do I have to storm the IT department with a lightsaber to get them to upgrade their software? On rpmfind I could see, from a search on openssh, that that version was distributed with RedHat 7 series. I fear I have to assume they did not maintain the other packages too.
How bad do you think it is? I'm no IT security pro (I'm a PhD student in chemical engineering), but this looks quite dangerous to me. They have a lot of important files on the common RAID architecture that one can access via ssh - fortunately they take daily backups.
We already had a breakin earlier this year, and I think I understand why now...
_________________
Why is everybody always generalising? |
|
| Back to top |
|
 |
robdavies
Tux's lil' helper
Joined: 06 Sep 2003
Posts: 90
|
| Posted: Wed Sep 17, 2003 9:18 am Post subject: |
|
|
Two things :
1) RH may issue patches to older versions of openssh, rather than move to the latest and greatest, for stability and commercial reasons (if they updated all their packages in old releases, there'd be little reason to buy a new version and upgrade down the line).
You'ld have to check, RH's bulletin's and compare the rpm version's installed using rpm -q openssh, to see if they've not updated them.
2) Decision to ignore vulnerability
The issue may have been assessed, and considered unimportant. Perhaps ssh, is only used within the LAN and firewalling prevents external access.
Whilst long term it's wiser to patch, often stability is improved, if a short delay of a week or so is made, to allow testing and modifications given chance to settle down.
openssh made 2 releases yesterday, 3.7.1 added additional fixes to 3.7, and sometimes initial security fixes released which are rushed break things. |
|
| Back to top |
|
|
el*Loco
Tux's lil' helper
Joined: 29 Jan 2003
Posts: 91
Location: Cologne, Germany
|
| Posted: Wed Sep 17, 2003 10:09 am Post subject: |
|
|
| robdavies wrote: | RH may issue patches to older versions of openssh, rather than move to the latest and greatest, for stability and commercial reasons (if they updated all their packages in old releases, there'd be little reason to buy a new version and upgrade down the line).
You'ld have to check, RH's bulletin's and compare the rpm version's installed using rpm -q openssh, to see if they've not updated them. |
Look at:
https://rhn.redhat.com/errata/rh9-errata-security.html
https://rhn.redhat.com/errata/RHSA-2003-279.html
OpenSSH 3.1p1 is the latest RPM for RH 7.1-7.3
_________________
WARNING: Do not let Dr. Mario touch your genitals. He is not a real doctor! |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
