3Com Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Alcatel Not Affected

Notified:  June 06, 2003 Updated: August 01, 2003

Status

Not Affected

Vendor Statement

Following CERT vulnerability note VU#978316 on a vulnerability in OpenSSH daemon, Alcatel has conducted an immediate assessment to determine any impact this may have on our portfolio. A first analysis has shown that none of our products, and in particular the A7670, A7700 and OmniSwitch series which make use of SSH, is impacted. The security of our customers' networks is of highest priority for Alcatel. Therefore we continue to test our product portfolio and will provide updates if necessary.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Apple Computer, Inc. Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

AT&T Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Avaya Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Berkeley Software Design, Inc. Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Bitvise Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Borderware Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Cisco Systems, Inc. Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Clavister Not Affected

Notified:  June 06, 2003 Updated: June 09, 2003

Status

Not Affected

Vendor Statement

No Clavister software implements Secure Shell software. The general principle of crafted reverse DNS responses neither applies, as the ruleset of Clavister Firewall only works with numerical IP addresses, and can, as such, be trusted to apply IP-based access controls to affected SSH daemons.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Computer Associates Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Cray Inc. Affected

Notified:  June 06, 2003 Updated: June 09, 2003

Status

Affected

Vendor Statement

Cray Inc. supports openssh through its Cray Open Software (COS) package. Cray does ship with VerifyReverseMapping set to "no". A site should set this to "yes" in the sshd_config file and then restart sshd. Once patches are available they will be incorporated.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Data General Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Debian Linux Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

D-Link Systems Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Engarde Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

eSoft Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Extreme Networks Not Affected

Notified:  June 06, 2003 Updated: June 24, 2003

Status

Not Affected

Vendor Statement

Extreme Networks software is not vulnerable to advisory VU#978316.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

F5 Networks, Inc. Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

FiSSH Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Foundry Networks Inc. Not Affected

Notified:  June 06, 2003 Updated: June 09, 2003

Status

Not Affected

Vendor Statement

Foundry Networks is not vulnerable to the OpenSSH issue described in VU#978316.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

FreeBSD, Inc. Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

FreeS/WAN Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

FreSSH Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

F-Secure Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Fujitsu Not Affected

Notified:  June 06, 2003 Updated: July 16, 2003

Status

Not Affected

Vendor Statement

Fujitsu's UXP/V o.s. is not affected by the problem in VU#978316 because it does not support the SSH.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Global Technology Associates Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Hewlett-Packard Company Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Hitachi Not Affected

Notified:  June 06, 2003 Updated: June 18, 2003

Status

Not Affected

Vendor Statement

Hitachi GR2000 gigabit router series are NOT vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

IBM Corporation Affected

Notified:  June 06, 2003 Updated: June 19, 2003

Status

Affected

Vendor Statement

The AIX operating system is vulnerable to the issues discussed in CERT Vulnerability Note VU#978316. openSSH is available for AIX via the Bonus Pack or the Linux Affinity Toolbox. For more information about the Linux Affinity Toolbox, please see: http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html For more information about SSH for the Bonus Pack, please see: http://oss.software.ibm.com/developerworks/projects/opensshi Both packages will be updated as information becomes available from OpenSSH.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

IBM eServer Unknown

Updated:  June 24, 2003

Status

Unknown

Vendor Statement

IBM eServer Platform Response For information related to this and other published CERT Advisories that may relate to the IBM eServer Platforms (xSeries, iSeries, pSeries, and zSeries) please go to: https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/security=alerts?OpenDocument&pathID=3D In order to access this information you will require a Resource Link ID. To subscribe to Resource Link go to http://app-06.www.ibm.com/servers/resourcelink and follow the steps for registration. All questions should be refered to servsec@us.ibm.com.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Ingrian Networks, Inc. Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Intel Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Internet Initiative Japan (IIJ) Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Interpeak Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Intersoft International Inc. Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Intoto Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Juniper Networks, Inc. Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

KAME Project Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Lachman Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Lotus Software Not Affected

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Not Affected

Vendor Statement

Lotus products do not implement OpenSSH.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

lsh Unknown

Updated:  June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Lucent Technologies Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

MacSSH Not Affected

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Not Affected

Vendor Statement

This is not applicable to MacSSH, which is a client only.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Mandriva, Inc. Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Mandriva, Inc. Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Microsoft Corporation Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Mirapoint Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

MontaVista Software, Inc. Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Multinet Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Multi-Tech Systems Inc. Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NEC Corporation Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NetBSD Affected

Notified:  June 06, 2003 Updated: June 09, 2003

Status

Affected

Vendor Statement

NetBSD ships with a version of OpenSSH which is vulnerable to the issue. We recommend users to take appropiate actions as suggested by OpenSSH team.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Netcomposite Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Netscreen Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Network Appliance Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NeXT Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Nokia Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Nortel Networks, Inc. Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

OpenBSD Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

OpenSSH Affected

Updated:  June 06, 2003

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Openwall GNU/*/Linux Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Oracle Corporation Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Pragma Systems Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Putty Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Red Hat, Inc. Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Riverstone Networks Not Affected

Notified:  June 06, 2003 Updated: June 10, 2003

Status

Not Affected

Vendor Statement

Riverstone Networks' routers are not vulnerable to the problem.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

SafeNet Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

SCO Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Secure Computing Corporation Not Affected

Notified:  June 06, 2003 Updated: June 16, 2003

Status

Not Affected

Vendor Statement

This vulnerability relates to OpenSSH's internal mechanism for restricting connections based on the source address. While Sidewinder uses OpenSSH, source address restrictions are handled by the Sidewinder policy engine. Since OpenSSH's internal mechanism is not used, Sidewinder is not affected by this vulnerability. As a matter of policy, the updated SSH code will be included in a future patch. The Gauntlet firewall does not include an SSH daemon, and is thus not affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sequent Computer Systems, Inc. Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

SGI Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sony Corporation Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

SSH Communications Security Not Affected

Notified:  June 06, 2003 Updated: July 14, 2003

Status

Not Affected

Vendor Statement

Since 3.0.0, SSH Secure Shell server has had an additional specifier for matching with the host addresses, which can be used to only match IP-addresses or IP-masks. For example, one could specify AllowUsers *@\i192.168.*.* Since 3.1.0, a specifier for address masks was added. AllowUsers *@\m192.168.0.0/16 The specifiers are to be prepended to the address, and are "\i" and "\m", respectively. Thus, SSH Secure Shell daemon is not vulnerable to this, if these specifiers are used.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Stonesoft Not Affected

Notified:  June 06, 2003 Updated: June 11, 2003

Status

Not Affected

Vendor Statement

Stonesoft's StoneGate high availability firewall and VPN product does not enable the OpenSSH daemon by default. Furthermore, the client IP addresses are regulated by the firewall rulebase and not by the OpenSSH configuration in StoneGate. Therefore StoneGate is not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sun Microsystems, Inc. Affected

Notified:  June 06, 2003 Updated: January 16, 2007

Status

Affected

Vendor Statement

The Solaris Secure Shell, which ships with Solaris 9 and later, is based on OpenSSH and is therefore vulnerable to this issue. The advice to enable the sshd_config(4) option of VerifyReverseMapping is a valid workaround for Solaris Secure Shell as well. Similarly, the use of IP addresses instead of hostnames for the sshd_config(4) options of AllowUsers and DenyUsers will also workaround this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

SUSE Linux Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

TTSSH/TeraTerm Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Unisys Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

VanDyke Software Inc. Affected

Notified:  June 06, 2003 Updated: June 16, 2003

Status

Affected

Vendor Statement

VShell connection filters are vulnerable to this type of attack if hostname of domain name based filters are used in any of the connection filters. VShell starts with the IP address provided by the TCP/IP protocol stack for the connection. If there are no name based filters in the connection filter list, it simply uses this address to do filtering-- no name resolution is performed, and therefore, no vulnerability exists. If there are name based filters in the connection filter list, VShell must discover all the hostnames associated with the connection IP. It does this through DNS, which is subject to trivial spoofing. It is recommended that our customers _not_ use hostname or domain name based filtering, but rather, use IP and netmask based filtering.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

WatchGuard Not Affected

Notified:  June 06, 2003 Updated: June 10, 2003

Status

Not Affected

Vendor Statement

We are not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Wind River Systems, Inc. Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

WinSCP Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Wirex Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Xerox Corporation Not Affected

Notified:  June 06, 2003 Updated: July 14, 2003

Status

Not Affected

Vendor Statement

A response to this vulnerability is available from our web site: http://www.xerox.com/security.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

ZyXEL Unknown

Notified:  June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

View all 86 vendors View less vendors