Bug 186419 - OpenSSH accepts ssh version 1 connections
Summary: OpenSSH accepts ssh version 1 connections
Status: CLOSED DEFERRED
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: openssh
Version: 3.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-03-23 14:25 UTC by Mark Komarinski
Modified: 2007-11-30 22:07 UTC (History)
0 users

(edit)
Clone Of:
(edit)
Last Closed: 2006-03-23 15:28:43 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Mark Komarinski 2006-03-23 14:25:33 UTC 
Description of problem:

SSH version 1 still allowed despite critical vulnerabilities of protocol

Version-Release number of selected component (if applicable):

All

How reproducible:

Every time

Steps to Reproduce:
1. Install base system
2. Check /etc/ssh/sshd_config
  
Actual results:

# Protocol 2,1

Expected results:

# Protocol 2
or 
Protocol 2

Additional info:

Please see http://www.ssh.com/company/newsroom/article/210/ and
http://www.kb.cert.org/vuls/id/684820
Comment 1 Tomas Mraz 2006-03-23 15:28:43 UTC 
This problem will be resolved in a future major release of Red Hat Enterprise
Linux. Red Hat does not currently plan to provide a resolution for this in a Red
Hat Enterprise Linux update for currently deployed systems.

With the goal of minimizing risk of change for deployed systems, and in response
to customer and partner requirements, Red Hat takes a conservative approach when
evaluating changes for inclusion in maintenance updates for currently deployed
products. The primary objectives of update releases are to enable new hardware
platform support and to resolve critical defects.
Note You need to log in before you can comment on or make changes to this bug.