Important information about IBM-ERS' "ssh" advisory

David A. Curry davy at ers.ibm.com
Mon Nov 2 09:16:22 UTC 1998


-----BEGIN PGP SIGNED MESSAGE-----

On Friday, Oct. 30th, IBM-ERS sent out a draft advisory to be released on
Monday, Nov. 2nd that described a buffer overflow condition in Version
1.2.x "sshd."  This draft was sent to the Forum of Incident Response and
Security Teams, and also to the "ssh-bugs" list for their comment/review.
The draft was identified as ERS-SVA-E01-1998:005.1.

Rootshell has unfortunately chosen to include a copy of this draft advisory
in their recent newsletter, apparently for the purposes of defending itself
against charges that it was unfairly disparaging "sshd."  Use of IBM-ERS's
draft advisory in this manner was not approved or authorized by IBM-ERS,
and does a disservice to all.

Here are the facts about this advisory:

1. IBM-ERS advisory ERS-SVA-E01-1998:005.1 was never issued publicly by
   IBM.

2. In response to a telephone query from Kit Knox of Rootshell, IBM-ERS
   attempted to contact Kit on Friday evening, and was unable to reach
   him.  Specific contact information for IBM-ERS, as well as a brief
   status update, were left on Mr. Knox's voice mail.  Mr. Knox never
   contacted IBM-ERS after that time.

3. IBM has been working closely with Tatu Ylonen, author of "ssh," to make
   sure that the potential vulnerability described in the advisory is not
   exploitable.  Upon further investigation, the problem originally
   described appears to have been influenced by outside factors and does
   not appear to be an exploitable problem in "sshd."
   
4. IBM-ERS advisory ERS-SVA-E01-1998:005.1 was CANCELLED on the morning
   of Sunday, Nov. 1st, *before* Mr. Knox issued his newsletter.

5. At this time, IBM-ERS has NO KNOWLEDGE of any security vulnerabilities,
   exploitable or otherwise, in the "sshd" program.

We hope that this clarifies IBM's involvement in this situation.

- ---------------------------------------------------------------------------

The information in this document is provided as a service to customers of
the IBM Emergency Response Service.  Neither International Business Machines
Corporation, nor any of its employees, makes any warranty, express or implied,
or assumes any legal liability or responsibility for the accuracy, complete-
ness, or usefulness of any information, apparatus, product, or process
contained herein, or represents that its use would not infringe any privately
owned rights.  Reference herein to any specific commercial products, process,
or service by trade name, trademark, manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation or favoring
by IBM or its subsidiaries.  The views and opinions of authors expressed
herein do not necessarily state or reflect those of IBM or its subsidiaries,
and may not be used for advertising or product endorsement purposes.

-----BEGIN PGP SIGNATURE-----
Version: 2.7.1

iQCVAwUBNj12ufWDLGpfj4rlAQGbNAQAhxLTKJh8H0s9uS0KbUVO3IxjfAYrcSuf
TTpwZjQ3qciBr+8+LVU/WIk4OLGX7WLl2ZLqisUzNkBra4k0xPd2vKbKp6Pfd+6o
DlNwfiwpty1wzPD/7eiu4xclHt0emMpDC6QMkJldk4/lv7iQmPltpeXdGqRVYja8
fXtGXZO90UM=
=hlDX
-----END PGP SIGNATURE-----



More information about the NANOG mailing list