Re: [SSH/SFTP] Securityproblem in F-SECURE - VMS

This is a discussion on Re: [SSH/SFTP] Securityproblem in F-SECURE - VMS ; We're looking into it. Vulnerabilities like this typically don't affect a VMS system, especially since we don't do the UNIX "chroot" thing, which is where this vulernability apparently hits. We'll post status when we have some. In the meantime, the ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: [SSH/SFTP] Securityproblem in F-SECURE

  1. Re: [SSH/SFTP] Securityproblem in F-SECURE

    We're looking into it. Vulnerabilities like this typically don't affect a
    VMS system, especially since we don't do the UNIX "chroot" thing, which is
    where this vulernability apparently hits. We'll post status when we have
    some. In the meantime, the only thing you should do to help prevent this
    is (according the WRQ's web site):

    In your SSH2_DIR:SSHD2_CONFIG file, comment out the SftpSyslogFacility
    keyword line. Note: The line should begin with two "pound" signs, as in
    this example:
    ## SftpSyslogFacility LOCAL7
    At 07:20 AM 2/14/2006, Peter 'EPLAN' LANGSTOEGER wrote:
    >Since TCPware SSH/SFTP is based on the F-SECURE server, I'd like to ask:
    >F-SECURE Server is vulnerable (until V5.0.8) for an SFTP STAT attack.
    >
    >Is TCPware affected, too ?
    >
    >TIA
    >
    >--
    >Peter "EPLAN" LANGSTOEGER
    >Network and OpenVMS system specialist
    >E-mail peter@langstoeger.at
    >A-1030 VIENNA AUSTRIA I'm not a pessimist, I'm a realist


    ------
    +-------------------------------+----------------------------------------+
    | Dan O'Reilly | "There are 10 types of people in this |
    | Principal Engineer | world: those who understand binary |
    | Process Software | and those who don't." |
    | http://www.process.com | |
    +-------------------------------+----------------------------------------+



  2. Re: [SSH/SFTP] Securityproblem in F-SECURE

    In article <6.1.2.0.2.20060214082811.0298f768@raptor.psccos.co m>, Dan O'Reilly writes:
    >We're looking into it. Vulnerabilities like this typically don't affect a
    >VMS system, especially since we don't do the UNIX "chroot" thing, which is
    >where this vulernability apparently hits. We'll post status when we have
    >some.


    Thanks for the fast responding.

    I do also think, that VMS is not vulnerable. But I don't want to be
    surprised by reading an alarm message some times afterwards...

    --
    Peter "EPLAN" LANGSTOEGER
    Network and OpenVMS system specialist
    E-mail peter@langstoeger.at
    A-1030 VIENNA AUSTRIA I'm not a pessimist, I'm a realist

+ Reply to Thread