pilla Bodhisattva
Joined: 07 Aug 2002 Posts: 7729 Location: Underworld
|
Posted: Wed Sep 17, 2003 8:50 pm Post subject: [gentoo-announce] GLSA 200309-12: OpenSSH |
|
|
- - -
---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200309-12
- - -
---------------------------------------------------------------------
PACKAGE : openssh
SUMMARY : buffer management error
DATE : 2003-09-16 22:53 UTC
EXPLOIT : remote
VERSIONS AFFECTED : <=openssh-3.7_p1
FIXED VERSION : >=openssh-3.7.1_p1
CVE : CAN-2003-0693
- - -
---------------------------------------------------------------------
quote from advisory:
"All versions of OpenSSH's sshd prior to 3.7 contain a buffer management
error. It is uncertain whether this error is potentially
exploitable,however, we prefer to see bugs fixed proactively."
read the full advisory at:
http://www.openssh.com/txt/buffer.adv
This is a follow up advisory to indicate the further fixes have been
made. From the ChangeLog:
- (djm) OpenBSD Sync
- markus@cvs.openbsd.org 2003/09/16 21:02:40
[buffer.c channels.c version.h]
more malloc/fatal fixes; ok millert/deraadt; ghudson at MIT.EDU
(reported on https://bugs.gentoo.org/show_bug.cgi?id=28927 by
Christian Rubbert <ceed@xrc.de>)
SOLUTION
It is recommended that all Gentoo Linux users who are running
net-misc/openssh upgrade to openssh-3.7.1_p1 as follows:
emerge sync
emerge openssh
emerge clean
- - ---------------------------------------------------------------
seemant@gentoo.org - GnuPG key in signature below and on keyservers
vapier@gentoo.org
--
Seemant Kulleen
Developer and Project Co-ordinator,
Gentoo Linux http://dev.gentoo.org/~seemant
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3458780E
Key fingerprint = 23A9 7CB5 9BBB 4F8D 549B 6593 EDA2 65D8 3458 780E _________________ "I'm just very selective about the reality I choose to accept." -- Calvin |
|