New SSH Vulnerabilities Discovered

possible writes "Rapid7 has discovered a new class of vulnerabilities affecting SSH2 implementations from many vendors. These vulnerabilities affect a wide variety of SSH servers and SSH clients. Rapid7 designed an SSH protocol test suite called SSHredder. The SSHredder test suite contains a large number of SSH2 protocol binary test cases, and is released under the BSD license. Rapid7's testing has revealed many defects in products such as F-Secure, SSH.com, PuTTY, etc. OpenSSH and GNU LSH are not affected." Some of the affected vendors have released fixed versions, and some say there's nothing exploitable about the reported holes.

OpenSSH v3.5 and earlier not vulnerable

[ubiquitin]

Looks like the commercial version(s) of ssh and windows ports of the ssh client were most vulnerable. ssh.com people have denied it is a problem, whereas putty developers already have a fix available. This announcement was done very professionally, with details for each vendor that they were notified and what their response was. This is the first I've heard of Rapid7, and I'm impressed at their thorough approach in announcing this vulnerability.