Notified: October 31, 2001 Updated: December 13, 2001
Not Affected
Cisco has confirmed that their products are not affected by VU#945216.
The vendor has not provided us with any further information regarding this vulnerability.
Several public sources have speculated that Cisco SSH implementations are affected by this vulnerability, citing a Cisco Security Advisory released in June 2001 as documentation of the vulnerability. However, the Cisco advisory referenced above documents the SSH1 protocol vulnerability described in VU#13877, not the remote integer overflow described in VU#945216.
Notified: February 08, 2001 Updated: December 13, 2001
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The code used to detect and block CRC32 attacks was written in 1998 by CORE SDI and was subsequently incorporated into several SSH implementations. If your version of SSH contains a derivative of the code module below, the CERT/CC recommends that you disable the SSH1 service and contact your vendor for upgrade options.
Notified: February 08, 2001 Updated: December 13, 2001
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Debian has released Debian Security Advisories DSA-027-1 and DSA 086-1 in response to this vulnerability. For more information, please visit http://www.debian.org/security
Notified: February 12, 2001 Updated: December 13, 2001
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
FreeBSD has released a Security Advisory regarding this vulnerability. For more information, please visit ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:24.ssh.asc
Notified: November 06, 2000 Updated: December 10, 2001
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
This vulnerability was addressed in OpenSSH 2.3.0, released on November 6, 2000. For more information, please visit http://www.openssh.com/security.html
Updated: December 14, 2001
Affected
SmoothWall has released Security Advisory SSA-0902-1 regarding this vulnerability. For more information, please see http://www.smoothwall.org/gpl/get/download/patches/0.9.6-openssh-2.3.0p1.html
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: November 06, 2001
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
This vulnerability was addressed in Secure Shell 1.2.32, available at ftp://ftp.ssh.com/pub/ssh/ In addition, SSH Communications has released a public statment regarding this vulnerability; for more information, please visit http://www.ssh.com/products/ssh/advisories/ssh1_crc-32.cfm It is important to note that versions 2.x and 3.x of SSH Secure Shell do not serve as replacements for the SSH1 protocol. Rather, they rely upon an existing installation of Secure Shell 1.x to handle SSH1 connections. Thus, installing a version 2.x or 3.x server does not obviate the need to maintain installations of Secure Shell 1.x.
Updated: December 13, 2001
Affected
SuSE has published Security Announcement SuSE-SA:2001:04 to address this vulnerability. For more information, please see http://www.suse.de/de/support/security/adv004_ssh.txt
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.