Given that Sun's sshd in Solaris 9 is based on OpenSSH,
does it have the same vulnerability recently found in OpenSSH?

Any patches in progress?

http://xforce.iss.net/xforce/alerts/id/144

On Tue, 16 Sep 2003 21:44:55 GMT,
Oscar del Rio <delrio@mie.utoronto.ca>, in
<HLBtqv.4Jn@mie.utoronto.ca> wrote:
+> Given that Sun's sshd in Solaris 9 is based on OpenSSH,
+> does it have the same vulnerability recently found in OpenSSH?

They weren't mentioned in the CERT advisory...I don't know if that's
good, bad or indifferent!

James
--
Consulting Minister for Consultants, DNRC
I can please only one person per day. Today is not your day. Tomorrow
isn't looking good, either.
I am BOFH. Resistance is futile. Your network will be assimilated.

In comp.unix.solaris I R A Darth Aggie <sy_nttvr@gurcragntba.pbz> wrote:
> On Tue, 16 Sep 2003 21:44:55 GMT,
> Oscar del Rio <delrio@mie.utoronto.ca>, in
> <HLBtqv.4Jn@mie.utoronto.ca> wrote:
> +> Given that Sun's sshd in Solaris 9 is based on OpenSSH,
> +> does it have the same vulnerability recently found in OpenSSH?

> They weren't mentioned in the CERT advisory...I don't know if that's
> good, bad or indifferent!

I wouldn't automatically assume that that's good.

--
Akop Pogosian

This space has been accidentally left blank.

On Wed, 17 Sep 2003 03:04:05 +0000 (UTC),
Akop Pogosian <akopps+usenet@ocf.berkeley.edu>, in
<bk8iv5$2abe$1@agate.berkeley.edu> wrote:
+> In comp.unix.solaris I R A Darth Aggie <sy_nttvr@gurcragntba.pbz> wrote:
+> > On Tue, 16 Sep 2003 21:44:55 GMT,
+> > Oscar del Rio <delrio@mie.utoronto.ca>, in
+> > <HLBtqv.4Jn@mie.utoronto.ca> wrote:
+> > +> Given that Sun's sshd in Solaris 9 is based on OpenSSH,
+> > +> does it have the same vulnerability recently found in OpenSSH?
+>
+> > They weren't mentioned in the CERT advisory...I don't know if that's
+> > good, bad or indifferent!
+>
+> I wouldn't automatically assume that that's good.

That's what worries me...

James
--
Consulting Minister for Consultants, DNRC
I can please only one person per day. Today is not your day. Tomorrow
isn't looking good, either.
I am BOFH. Resistance is futile. Your network will be assimilated.

In article <slrnbmh3c2.g57.sy_nttvr@gurcragntba.pbz>, I R A Darth Aggie wrote:
> On Wed, 17 Sep 2003 03:04:05 +0000 (UTC),
> Akop Pogosian <akopps+usenet@ocf.berkeley.edu>, in
><bk8iv5$2abe$1@agate.berkeley.edu> wrote:
> +> In comp.unix.solaris I R A Darth Aggie <sy_nttvr@gurcragntba.pbz> wrote:
> +> > On Tue, 16 Sep 2003 21:44:55 GMT,
> +> > Oscar del Rio <delrio@mie.utoronto.ca>, in
> +> > <HLBtqv.4Jn@mie.utoronto.ca> wrote:
> +> > +> Given that Sun's sshd in Solaris 9 is based on OpenSSH,
> +> > +> does it have the same vulnerability recently found in OpenSSH?
> +>
> +> > They weren't mentioned in the CERT advisory...I don't know if that's
> +> > good, bad or indifferent!
> +>
> +> I wouldn't automatically assume that that's good.
>
> That's what worries me...

I've simply downloaded the source and compiled it myself.



--
Seth H Holmes

On Wed, 17 Sep 2003 16:36:18 +0000, I R A Darth Aggie wrote:

> On Wed, 17 Sep 2003 03:04:05 +0000 (UTC),
> Akop Pogosian <akopps+usenet@ocf.berkeley.edu>, in
> <bk8iv5$2abe$1@agate.berkeley.edu> wrote:
> +> In comp.unix.solaris I R A Darth Aggie <sy_nttvr@gurcragntba.pbz> wrote:
> +> > On Tue, 16 Sep 2003 21:44:55 GMT,
> +> > Oscar del Rio <delrio@mie.utoronto.ca>, in
> +> > <HLBtqv.4Jn@mie.utoronto.ca> wrote:
> +> > +> Given that Sun's sshd in Solaris 9 is based on OpenSSH,
> +> > +> does it have the same vulnerability recently found in OpenSSH?
> +>
> +> > They weren't mentioned in the CERT advisory...I don't know if that's
> +> > good, bad or indifferent!
> +>
> +> I wouldn't automatically assume that that's good.
>
> That's what worries me...

It should. If Sun's SSH were not vulnerable they would have issued a
notice to that effect.

no-courtesy-copies-please writes in comp.unix.solaris:
|On Tue, 16 Sep 2003 21:44:55 GMT,
|Oscar del Rio <delrio@mie.utoronto.ca>, in
|<HLBtqv.4Jn@mie.utoronto.ca> wrote:
|+> Given that Sun's sshd in Solaris 9 is based on OpenSSH,
|+> does it have the same vulnerability recently found in OpenSSH?
|
|They weren't mentioned in the CERT advisory...I don't know if that's
|good, bad or indifferent!

I think it simply means CERT rushed the advisory out without waiting
for all vendors to respond. Sun has since provided a statement which
is on the CERT web page for the advisory now:
http://www.cert.org/advisories/CA-2003-24.html

--
__________________________________________________ ______________________
Alan Coopersmith alanc@alum.calberkeley.org
http://www.CSUA.Berkeley.EDU/~alanc/ aka: Alan.Coopersmith@Sun.COM
Working for, but definitely not speaking for, Sun Microsystems, Inc.

On Wed, 17 Sep 2003 21:07:15 +0000 (UTC),
Alan Coopersmith <alanc@alum.calberkeley.org>, in
<bkaie3$2vel$1@agate.berkeley.edu> wrote:
+> no-courtesy-copies-please writes in comp.unix.solaris:
+> |On Tue, 16 Sep 2003 21:44:55 GMT,
+> |Oscar del Rio <delrio@mie.utoronto.ca>, in
+> |<HLBtqv.4Jn@mie.utoronto.ca> wrote:
+> |+> Given that Sun's sshd in Solaris 9 is based on OpenSSH,
+> |+> does it have the same vulnerability recently found in OpenSSH?
+> |
+> |They weren't mentioned in the CERT advisory...I don't know if that's
+> |good, bad or indifferent!
+>
+> I think it simply means CERT rushed the advisory out without waiting
+> for all vendors to respond. Sun has since provided a statement which
+> is on the CERT web page for the advisory now:
+> http://www.cert.org/advisories/CA-2003-24.html

Yes, lots more vendors on there now...

Sun Microsystems confirms that the Solaris 9 version of Secure
Shell daemon (sshd) is affected by VU#333628. We are currently
working on a solution. A Sun Alert will be released soon that
will allow customers to track our progress on this issue.

James
--
Consulting Minister for Consultants, DNRC
I can please only one person per day. Today is not your day. Tomorrow
isn't looking good, either.
I am BOFH. Resistance is futile. Your network will be assimilated.

On Wed, 17 Sep 2003 21:07:15 +0000 (UTC), alanc@alum.calberkeley.org wrote:
>...
>I think it simply means CERT rushed the advisory out without waiting
>for all vendors to respond. Sun has since provided a statement which
>is on the CERT web page for the advisory now:
> http://www.cert.org/advisories/CA-2003-24.html

in summary: yes, it IS vulnerable.

FYI: I just put up an openssh 3.7.1p1 binary in the blastwave.org archives.
It'll get out to the mirror sites in a few hours, as usual.

WARNING: It currently is untested. If there are any problems found, I will
of course re-release the package, plus put a note on the 'news' link
from http://www.blastwave.org/packages/openssh



--
http://www.blastwave.org/ for solaris pre-packaged binaries with pkg-get
Organized by the author of pkg-get
[Trim the no-bots from my address to reply to me by email!]
S.1618 http://thomas.loc.gov/cgi-bin/bdquer...5:SN01618:@@@D
http://www.spamlaws.com/state/ca1.html

On Wed, 17 Sep 2003, I R A Darth Aggie wrote:

> On Tue, 16 Sep 2003 21:44:55 GMT,
> Oscar del Rio <delrio@mie.utoronto.ca>, in
> <HLBtqv.4Jn@mie.utoronto.ca> wrote:
> +> Given that Sun's sshd in Solaris 9 is based on OpenSSH,
> +> does it have the same vulnerability recently found in OpenSSH?
>
> They weren't mentioned in the CERT advisory...I don't know if that's
> good, bad or indifferent!

They are mentionen in the advisory, alert and coming solution is being
worked upon.

from advisory...
---
Sun Microsystems confirms that the Solaris 9 version of Secure Shell
daemon (sshd) is affected by VU#333628. We are currently working on a
solution. A Sun Alert will be released soon that will allow customers to
track our progress on this issue. Sun Alerts are available from
http://sunsolve.sun.com/pub-cgi/sear...egory:security
---

/Johan A