[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] If you have been a victim

Subject: RE: [cobalt-users] If you have been a victim
From: "GPS" <gps@xxxxxxxxxxxxxx>
Date: Mon Feb 19 13:51:41 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

+> Hate to give you the bad news but per SEVERAL posts here within
+> the past week the SSH server package from pkg.nl.cobalt.com is
+> OLD and EXPLOITABLE and needs to be upgraded.
+
+stop spreading fud around. yes, that openssh pkg is old, granted but it's
+not exploitable. just because you have idiots hammering your
+server via port
+22 doesn't mean it's exploitable.
+
+if you keep simple passwords such as root/root, then upgrading to a newer
+version of ssh still won't help you.
+
+
+
+alex

Alex,

I was just relaying a previous post:

http://list.cobalt.com/pipermail/cobalt-users/2001-February/032992.html

Are you saying that what Peter had to say was FUD?
Being that you're a Cobalt employee could you possibly offer some more
helpful
and empathetic anti-hacking advice than a sarcastic remark re: "root/root" ?

============================================================================
=
Peter Batenburg cobalt-users@xxxxxxxxxxxxxxx
Fri Feb 9 13:16:02 2001

Hello,

Thats not true. Cobalt rpms from pkg.nl.cobalt.com install openssh 2.1.1:
$ ssh -v
SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0.

Thats different than ssh1:
OpenSSH
OpenSSH versions prior to 2.3.0 are vulnerable.
OpenSSH versions 2.3.0 and above are not vulnerable, source changes in
deattack.c that fix this problem were incorporated into the source tree on
October 31st, 2000.

so update:
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-2.3.0p1.tar.gz

At 08:31 9-2-2001 -0800, you wrote:
>The vulnerability was found to only effect version 1.2.30 , cobalt
>has version 2.1.1 of the pkg download site.
>
>Mike
>----- Original Message -----
>From: "Weihan Leow" <wleow@xxxxxxxxxxx>
>To: <cobalt-users@xxxxxxxxxxxxxxx>
>Sent: Friday, February 09, 2001 7:42 AM
>Subject: [cobalt-users] SSH Exploit?
>
>
> > I saw something about sshd on bugtraq.  Should we be alarmed?  Is cobalt
> > going to come out with another pkg for us to update sshd?
> >
> > http://www.securityfocus.com/vdb/bottom.html?vid=2345
> >
> > -Weihan

Follow-Ups:
- RE: [cobalt-users] If you have been a victim
  - From: Alex Lee

References:
- RE: [cobalt-users] If you have been a victim
  - From: Alex Lee

Prev by Date: [cobalt-users] How do I install MySQL & PHP4?
Next by Date: Re: [cobalt-users] Services - Raq3
Previous by thread: RE: [cobalt-users] If you have been a victim
Next by thread: RE: [cobalt-users] If you have been a victim

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index