AIX 5.8p1?
Darren Tucker
dtucker at zip.com.au
Fri Sep 21 14:22:17 EST 2012
On Thu, Sep 20, 2012 at 11:14:16PM -0400, Ty Haller wrote:
> I will contact them.
>
> However it seems that IBM just publishes binaries built from the regular
> OpenSSH sources.
I can't speak to what they currently do, however in the past they did
modify the code.
> They list their latest version as being built with OpenSSH 5.8p1. My
> question is does version 5.8p1 address the mentioned vulnerabilities?
For the stock 5.8p1, no.
The fix for CVE-2011-5000 first appeared in 5.9p1
http://anoncvs.mindrot.org/index.cgi/openssh/gss-serv.c?r1=1.24&r2=1.25
CVE-2010-4755 only lets a client DoS itself:
http://lists.mindrot.org/pipermail/openssh-unix-dev/2011-March/029429.html
> I would expect those kinds of fixes to come straight from OpenSSH.
Vendors often backport security fixes without bumping the major version.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list