Progeny Security Advisory: OpenSSH subject to traffic analysisApr 13, 2001, 09:30 (0 Talkback[s])
Date: Thu, 12 Apr 2001 14:03:53 -0500 From: Progeny Security Team <security@PROGENY.COM> Subject: PROGENY-SA-2001-04: OpenSSH subject to traffic analysis
PROGENY LINUX SYSTEMS -- SECURITY ADVISORY PROGENY-SA-2001-04
Topic: OpenSSH subject to traffic analysis
Category: net Module: openssh Announced: 2001-04-12 Credits: Solar Designer <email@example.com> BugTraq Mailing List <firstname.lastname@example.org> Affects: Progeny Debian (openssh prior to 2.5.2p2-0progeny1) Debian GNU/Linux (openssh prior to 2.5.2) Vendor-Status: New Version Released (openssh_2.5.2p2-0progeny1) Corrected: 2001-04-12
Progeny Only: NO
$Id: PROGENY-SA-2001-04,v 1.8 2001/04/12 18:02:02 jdaily Exp $
A number of security problems existed in previous versions of OpenSSH which would allow an attacker obtain sensitive information by passively monitoring the encrypted SSH (Secure Shell) sessions.
Solar Designer has conducted a very thorough analysis of several weaknesses in implementations of the SSH protocol. These weaknesses allow for an attacker to significantly speed up brute force attacks on passwords. Solar Designer's complete analysis can be found at the following page:
In February of 2001, Core SDI released a security announcement which described ways in which would allow an attacker to compromise the session of an SSH protocol 1.5 session. The detailed report is at the following URL:
Shortcomings in the OpenSSH implementation of the SSH protocol allow malicious third parties to compromise sensitive data.
Upgrade to a fixed version of OpenSSH. You may use Progeny's OpenSSH package, version openssh_2.5.2p2-0progeny1, for convenience.
There is no known satisfactory work around at this time.
UPDATING VIA APT-GET
deb http://archive.progeny.com/progeny updates/newton/
2. Update your cache of available packages for apt(8).
# apt-get update
3. Using apt(8), install the new ssh package. apt(8) will download
the update, verify it's integrity with md5, and then install the package on your system with dpkg(8).
# apt-get install ssh
UPDATING VIA DPKG
Filename MD5 Checksum
2. Use the md5sum command on the retrieved file to verify that it matches
the md5sum provided in this advisory:
# md5sum ssh_2.5.2p2-0progeny1_i386.deb
3. Then install the replacement package(s) using the dpkg command.
# dpkg --install ssh_2.5.2p2-0progeny1_i386.deb
There is no more information available at this time.
pub 1024D/F92D4D1F 2001-04-04 Progeny Security Team <email@example.com>