Re: No vulnerability known in SSH-1.2.26

Anonymous (nobody@replay.com)
Tue, 3 Nov 1998 00:47:24 +0100

• Next message: Anonymous: "Re: Avalanche analysis of the Arc4 CSPRNG"
• Previous message: Bill Frantz: "Avalanche analysis of the Arc4 CSPRNG"
• In reply to: Mail System Internal Data: "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"
• Next in thread: acpizer@mach.unseen.org: "Re: No vulnerability known in SSH-1.2.26"
• Reply: acpizer@mach.unseen.org: "Re: No vulnerability known in SSH-1.2.26"
• Reply: Ben Laurie: "Re: No vulnerability known in SSH-1.2.26"

Tatu Ylonen wrote:
> We are also trying to track down the linux compilation problem that
> may have caused the false alert behind the IBM advisory. We will
> issue an announcement as soon as possible if real vulnerability is
> found.

A second possibility, which I obviously can't judge as likely or unlikely
in this case, is that some binary has been intentionally compromised --
adversary gets access for a short time -> bad binaries...time
passes...buffer overflow exploited -> recompilation -> good binaries ->
world-famous disappearing exploit. If the binaries were downloaded, then
we have an entirely different issue to consider (binaries changed at a
source or, less likely, an actual MITM attack).

If you think it's worth checking, just compare hashes of those binaries
(or, if you're ultra-paranoid, actual binaries) which should be identical.

> Tatu Ylonen <ylo@ssh.fi>

(I won't be able to read replies on ssh)

• Next message: Anonymous: "Re: Avalanche analysis of the Arc4 CSPRNG"
• Previous message: Bill Frantz: "Avalanche analysis of the Arc4 CSPRNG"
• In reply to: Mail System Internal Data: "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"
• Next in thread: acpizer@mach.unseen.org: "Re: No vulnerability known in SSH-1.2.26"
• Reply: acpizer@mach.unseen.org: "Re: No vulnerability known in SSH-1.2.26"
• Reply: Ben Laurie: "Re: No vulnerability known in SSH-1.2.26"