AF:
NF:0
PS:10
SRH:1
SFN:
DSR:
MID:<20070906121912.2e821428@ripper.onstor.net>
CFG:
PT:0
S:andy.sharp@onstor.com
RQ:
SSV:onstor-exch02.onstor.net
NSV:
SSH:
R:<jhernandez@css.glasshouse.com>
MAID:1
X-Sylpheed-Privacy-System:
X-Sylpheed-Sign:0
SCF:#mh/Mailbox/sent
RMID:#imap/andys@onstor.net@onstor-exch02.onstor.net/INBOX	0	200709061500.l86F0Dl19933@mailhost-rtp.css.glasshouse.com
X-Sylpheed-End-Special-Headers: 1
Date: Thu, 6 Sep 2007 12:19:20 -0700
From: Andrew Sharp <andy.sharp@onstor.com>
To: "Jairo Hernandez" <jhernandez@css.glasshouse.com>
Subject: Re: what version of OpenSSH are you running on the new 3.0.1.0
 code?
Message-ID: <20070906121920.5592f85a@ripper.onstor.net>
In-Reply-To: <200709061500.l86F0Dl19933@mailhost-rtp.css.glasshouse.com>
References: <20070906072845.2dcbec72@ripper.onstor.net>
	<200709061500.l86F0Dl19933@mailhost-rtp.css.glasshouse.com>
Organization: Onstor
X-Mailer: Sylpheed-Claws 2.6.0 (GTK+ 2.8.20; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Sure.  Just make sure that you "customerize" it first.  I'm sure I
don't have to tell you ~:^)

Cheers,

a

On Thu, 6 Sep 2007 10:00:36 -0500 "Jairo Hernandez"
<jhernandez@css.glasshouse.com> wrote:

> Hello Andrew,
> 
> I'll pass this on to the customer. Also I assume 3.0.1.0 still runs
> this version.
> 
> OpenSSH_4.2p1, OpenSSL 0.9.7g 11 Apr 2005
> 
> Is this correct?
> 
> Thanks,
> 
> jairo
> 
> -----Original Message-----
> From: Andrew Sharp [mailto:andy.sharp@onstor.com] 
> Sent: Thursday, September 06, 2007 9:29 AM
> To: Fred D. McFadden
> Cc: 'dl-cstech'
> Subject: Re: what version of OpenSSH are you running on the new
> 3.0.1.0 code?
> 
> Please remember that these machines are not meant to be run bare-assed
> on the internet, but as internal appliances where their environment is
> tightly controlled.
> 
> That being said, there are many very large, real, security holes in
> our product besides this theoretical security hole.  Theoretical
> because it has probably never been actually exploited even to crash
> the ssh server, and because of the highly inflamitory "...possibly
> execute arbitrary code..." which is obvious theoretical on it's best
> day.
> 
> Cheers,
> 
> a
> 
> On Thu, 6 Sep 2007 09:54:35 -0400 "Fred D. McFadden"
> <fredm@css.glasshouse.com> wrote:
> 
> > Customer asks the below, can anyone answer? Thanks -Fred
> > ---------------
> > A new comment has been added to case 5806 by Server Manager.
> > https://ssl.salesforce.com/500000000015x3tAAA
> > 
> > ---------------- Comment: ---------------- Michael,
> > 
> > BTW, what version of OpenSSH are you running on the new 3.0.1.0
> > code? Because OpenSSH 4.4 and earlier contain a signal handler race
> > condition in the GSSAPI functionality which can lead to memory
> > beeing free()'d twice. This flaw allows a remote attacker to crash
> > the OpenSSH service and possibly execute arbitrary code on the
> > server.
> > 
> > Thanks,
> > 
> > Yong
> > 
> > 
> 
> 
