Groo
03-06-2001, 02:52 PM
There was an advisory on February 8th and I totally missed it... I'm sure alot of you out there missed it as well
http://list.cobalt.com/pipermail/cobalt-security/2001-February/001203.html
These are the steps I took to upgrade it on my Raq3:
* If you have telnet disabled - re-enable it... in case something messes up while installing the new SSH you need a way back into the box
Ftp to:
ftp.utoronto.ca/mirror/packages/ssh/
get ssh-2.4.0.tar.gz
(If you want to use another mirror a full list is here (http://www.ssh.com/products/ssh/download.html).)
extract the file... run configure then make - then make install
Edit /etc/ssh2/ssh2_config and set Ssh1Compatibility to no
(The exploit affects this upgrade if ssh1 compatibility is left on)
Now, assuming you're telnetted in while doing this:
(so you don't kill your own current SSH connection)
% /etc/rc.d/init.d/sshd stop
% /etc/rc.d/init.d/sshd start
and you should be up and running with ssh 2.4 exploit free (at least for now...)
* Remember to disable telnet and that's it...
As a side note, Putty 0.50 has a bug where if you attempt to connect to a server running SSH2 it won't let you connect (keeps saying invalid key) - get the 0.51 upgrade from http://www.chiark.greenend.org.uk/~sgtatham/putty/
Swamper
http://list.cobalt.com/pipermail/cobalt-security/2001-February/001203.html
These are the steps I took to upgrade it on my Raq3:
* If you have telnet disabled - re-enable it... in case something messes up while installing the new SSH you need a way back into the box
Ftp to:
ftp.utoronto.ca/mirror/packages/ssh/
get ssh-2.4.0.tar.gz
(If you want to use another mirror a full list is here (http://www.ssh.com/products/ssh/download.html).)
extract the file... run configure then make - then make install
Edit /etc/ssh2/ssh2_config and set Ssh1Compatibility to no
(The exploit affects this upgrade if ssh1 compatibility is left on)
Now, assuming you're telnetted in while doing this:
(so you don't kill your own current SSH connection)
% /etc/rc.d/init.d/sshd stop
% /etc/rc.d/init.d/sshd start
and you should be up and running with ssh 2.4 exploit free (at least for now...)
* Remember to disable telnet and that's it...
As a side note, Putty 0.50 has a bug where if you attempt to connect to a server running SSH2 it won't let you connect (keeps saying invalid key) - get the 0.51 upgrade from http://www.chiark.greenend.org.uk/~sgtatham/putty/
Swamper