Apache Friends Support Forum

[skachy]

Hello

I just ran a security check on our server and it showed this :

OpenSSH < 3.1 Channel Code Off by One Remote Privilege Escalation
ssh (22/tcp)
Synopsis:
Arbitrary code may be run on the remote host.
Description:
You are running a version of OpenSSH which is older than 3.1.
Versions prior than 3.1 are vulnerable to an off by one error that allows local users to gain root access, and it may be possible for remote users to
similarly compromise the daemon for remote access.
In addition, a vulnerable SSH client may be compromised by connecting to a malicious SSH daemon that exploits this vulnerability in the client code,
thus compromising the client system.
Solution:
Upgrade to OpenSSH 3.1 or apply the patch for prior versions. (See: http://www.openssh.org)
Risk factor:
Critical !!! / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.3
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true
CVE : CVE-2002-0083
BID : 4241
Other references : OSVDB:730, CWE:189


Can I somehow update the version of SSH in Xampp ? I am running the Windows 2008 R2 Web Server with Xampp 1.7.3 installed.

thanks

Jakub

[Sharley]

Can I somehow update the version of SSH in Xampp ?

As far as I know there is no OpenSSH in any XAMPP version by default.

If your version has an OpenSSH app then you or some other third party app has installed it.

What is the location in the XAMPP tree of OpenSSH?

Only OpenSSL is included in XAMPP by default but not OpenSSH.

There is no OpenSSH in XAMPP 1.7.3 but it may be included in your Windows server.