From tsl@TRUSTIX.COM Thu Mar 29 15:58:42 2001 From: tsl@TRUSTIX.COM To: BUGTRAQ@SECURITYFOCUS.COM Date: Thu, 29 Mar 2001 13:58:25 +0200 Subject: [BUGTRAQ] Trustix Security Advisory #2001-0002 - OpenSSH -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Trustix Secure Linux Security Advisory #2001-0002 Package name: OpenSSH Severity: Possible to determine password length Date: 2001-03-29 Affected versions: TSL 1.01, 1.1, 1.2 - -------------------------------------------------------------------------- Problem description: From the release notes of Portable OpenSSH-2.5.2p2: Security related changes: Improved countermeasure against "Passive Analysis of SSH (Secure Shell) Traffic" http://openwall.com/advisories/OW-003-ssh-traffic-analysis.txt The countermeasures introduced in earlier OpenSSH-2.5.x versions caused interoperability problems with some other implementations. Improved countermeasure against "SSH protocol 1.5 session key recovery vulnerability" http://www.core-sdi.com/advisories/ssh1_sessionkey_recovery.htm Action: We recommend all systems which has this package installed to be upgraded. Location: All TSL updates are available from Users of the SWUP tool, can enjoy having the security updates automatically installed using 'swup --upgrade'. Get SWUP from: ftp://ftp.trustix.net/pub/Trustix/software/swup/ Questions? Check out our mailinglists: http://www.trustix.net/support/ Verification: This advisory is signed with the TSL sign key. It is available from: http://www.trustix.net/TSL-GPG-KEY Trustix Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6wyAzwRTcg4BxxS0RAodOAJ9G9BtOZaTpzYpbSkJDhXqKEn2ySwCfSXtq 52GvTRB1mSqAg+8difECgQk= =MEis -----END PGP SIGNATURE----- -- Trustix Secure Linux Advisor Homepage: http://www.trustix.net/ Errata: http://www.trustix.net/errata/ Automatic updates: http://www.trustix.net/pub/Trustix/software/swup/