Welcome to the MacNN Forums.

Tyler McAdams · Feb 12, 2005, 04:23 AM

Shouldn't this be updated/patched? OpenSSH 3.6.1p1 has known vulnerablilities.

Angus_D · Feb 12, 2005, 05:37 AM

What vulnerabilities?

Apple distributes OpenSSH 3.6.1p1 + patches to resolve known vulnerabilities

CAN-2003-0693 was resolved in 10.2.8 (ssh -V reports OpenSSH_3.4p1+CAN-2003-0693)
CAN-2004-0175 was resolved in Security Update 2004-09-07 (ssh -V reports OpenSSH_3.6.1p1+CAN-2004-0175)

OpenSSH 3.6.1p1 is not affected by CAN-2003-0682.

Tyler McAdams · Feb 12, 2005, 05:56 AM

I guess my scanner was assuming by the name that it was the unpatched version. I do know that at least here at IBM SSH1 is being totally disco'd in favor of SSH2.

Angus_D · Feb 12, 2005, 06:08 AM

Originally posted by Tyler McAdams:
I guess my scanner was assuming by the name that it was the unpatched version. I do know that at least here at IBM SSH1 is being totally disco'd in favor of SSH2.

OpenSSH supports SSH2.

Tyler McAdams · Feb 12, 2005, 06:40 AM

Originally posted by Angus_D:
OpenSSH supports SSH2.

Right... ssh -2

Simon · Feb 12, 2005, 08:14 AM

I've been asked by a Linux admin about this too.

AFAIK there are much newer portable versions available: 3.9p1 for example.

http://www.openssh.org/portable.html
http://www.openssh.org/faq.html#3.15

No idea why Apple is sticking to 3.6.1p1. Although, I don't know if the vulnerabilities of 3.6.x apply to Mac OS X as well.

Tyler McAdams · Feb 12, 2005, 09:09 AM

Originally posted by Simon:

No idea why Apple is sticking to 3.6.1p1. Although, I don't know if the vulnerabilities of 3.6.x apply to Mac OS X as well.

It sounds as if it's been patched... but you would think they would rename it...

Angus_D · Feb 12, 2005, 09:28 AM

Originally posted by Tyler McAdams:
It sounds as if it's been patched... but you would think they would rename it...

They have. Look at ssh -V

They haven't bumped the version number because the upstream version hasn't changed.