AppGate Network Security AB

Updated:  September 23, 2003

Status

  Not Vulnerable

Vendor Statement

The OpenSSH used in AppGate has pam disabled so AppGate is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Apple Computer Inc.

Updated:  September 23, 2003

Status

  Not Vulnerable

Vendor Statement

Apple: Not Vulnerable. Mac OS X is configured in a manner that is not susceptible to this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Bitvise

Updated:  September 23, 2003

Status

  Not Vulnerable

Vendor Statement

Our WinSSHD server is based on different architecture and shares no codebase with OpenSSH; it is thus not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Check Point

Updated:  September 24, 2003

Status

  Not Vulnerable

Vendor Statement

No versions of Check Point products are affected by this advisory.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Cisco Systems Inc.

Updated:  September 23, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Clavister

Updated:  September 24, 2003

Status

  Not Vulnerable

Vendor Statement

Not Affected: No Clavister products implement the SSH protocol.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Cray Inc.

Updated:  September 23, 2003

Status

  Not Vulnerable

Vendor Statement

Cray Inc. does support OpenSSH, however is not currently supporting OpenSSH 3.7. Even so, Cray does not compile with the "--with-pam" option and defaults to PrivilegeSeparation enabled. So Cray Inc. is not vulnerable to this.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Debian

Updated:  September 23, 2003

Status

  Not Vulnerable

Vendor Statement

The packages in the current Debian release (Debian 3.0/woody) are not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Gentoo Linux

Updated:  September 24, 2003

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 GENTOO LINUX SECURITY ANNOUNCEMENT 200309-14 PACKAGE : openssh SUMMARY : multiple vulnerabilities in new PAM code DATE : 2003-09-23 20:25 UTC EXPLOIT : remote VERSIONS AFFECTED : =openssh-3.7.1_p2 CVE : quote from advisory: "Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM code. At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled)." read the full advisory at: http://www.openssh.com/txt/sshpam.adv SOLUTION It is recommended that all Gentoo Linux users who are running net-misc/openssh upgrade to openssh-3.7.1_p2 as follows: emerge sync emerge openssh emerge clean aliz@gentoo.org - GnuPG key is available at http://dev.gentoo.org/~aliz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/cKxBfT7nyhUpoZMRAmw0AJ92FPN0+E9Sm30c8B8rjF31/gQ7UwCcCWmi ZSsCQAtKpTlq4M/KTdfMQ5M= =mEO/ -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

IBM eServer

Updated:  September 23, 2003

Status

  Unknown

Vendor Statement

IBM eServer Platform Response For information related to this and other published CERT Advisories that may relate to the IBM eServer Platforms (xSeries, iSeries, pSeries, and zSeries) please go to https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/securityalerts?OpenDocument&pathID=3D In order to access this information you will require a Resource Link ID. To subscribe to Resource Link go to http://app-06.www.ibm.com/servers/resourcelink and follow the steps for registration. All questions should be refered to servsec@us.ibm.com.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Ingrian Networks

Updated:  September 23, 2003

Status

  Not Vulnerable

Vendor Statement

Ingrian networks products are not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

MandrakeSoft

Updated:  September 23, 2003

Status

  Not Vulnerable

Vendor Statement

MandrakeSoft patched 3.6.1 for updates, so none of our products are vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Microsoft Corporation

Updated:  September 23, 2003

Status

  Not Vulnerable

Vendor Statement

The particular program in question is not used in any Microsoft products.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Mirapoint

Updated:  September 23, 2003

Status

  Not Vulnerable

Vendor Statement

Mirapoint is not vulnerable to this.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NetScreen

Updated:  September 23, 2003

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Network Appliance

Updated:  September 23, 2003

Status

  Not Vulnerable

Vendor Statement

NetApp products are not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

OpenSSH

Notified:  September 22, 2003 Updated: September 23, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Openwall GNU/*/Linux

Updated:  September 24, 2003

Status

  Not Vulnerable

Vendor Statement

This doesn't affect Openwall GNU/*/Linux, -- we haven't updated to a version of OpenSSH/portable with the newer FreeBSD-derived PAM code.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Pragma Systems

Updated:  September 23, 2003

Status

  Not Vulnerable

Vendor Statement

Since we do not support the PAM authentication this issue does not apply to our server.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Red Hat Inc.

Updated:  September 23, 2003

Status

  Not Vulnerable

Vendor Statement

Red Hat Linux and Red Hat Enterprise Linux contain versions of OpenSSH prior to version 3.7 and are therefore not vulnerable to these issues.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sun Microsystems Inc.

Updated:  September 24, 2003

Status

  Not Vulnerable

Vendor Statement

Sun is not vulnerable to this. We have never shipped with this release.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

SuSE Inc.

Updated:  September 23, 2003

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

WatchGuard

Updated:  September 24, 2003

Status

  Not Vulnerable

Vendor Statement

WatchGuard Products are not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

View all 23 vendors View less vendors