Updated: June 27, 2002
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Cisco has published an advisory regarding this issue; for more information, please visit http://www.cisco.com/warp/public/707/SSH-multiple-pub.html Please note that this vulnerability is seperate from the issue described in VU#945216 (SSH CRC32 attack detection code contains remote integer overflow). This vulnerability exists in a patch produced by CORE-SDI to address VU#13877.
Updated: November 06, 2001
Affected
See http://www.openssh.com/security.html.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: November 06, 2001
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
This vulnerability first addressed by incorporating code written by CORE-SDI to detect and block CRC32 attacks. However, an implementation error in this code caused the vulnerability described in VU#945216, which was ultimately addressed in Secure Shell 1.2.32, available at ftp://ftp.ssh.com/pub/ssh/ SSH Communications has released a public statment regarding VU#945216; for more information, please visit http://www.ssh.com/products/ssh/advisories/ssh1_crc-32.cfm It is important to note that versions 2.x and 3.x of SSH Secure Shell do not serve as replacements for the SSH1 protocol. Rather, they rely upon an existing installation of Secure Shell 1.x to handle SSH1 connections. Thus, installing a version 2.x or 3.x server does not obviate the need to maintain installations of Secure Shell 1.x.