[gentoo-announce] GLSA 200309-12: OpenSSH

[pilla]

- - -
---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200309-12
- - -
---------------------------------------------------------------------

PACKAGE : openssh
SUMMARY : buffer management error
DATE : 2003-09-16 22:53 UTC
EXPLOIT : remote
VERSIONS AFFECTED : <=openssh-3.7_p1
FIXED VERSION : >=openssh-3.7.1_p1
CVE : CAN-2003-0693

- - -
---------------------------------------------------------------------

quote from advisory:

"All versions of OpenSSH's sshd prior to 3.7 contain a buffer management
error. It is uncertain whether this error is potentially
exploitable,however, we prefer to see bugs fixed proactively."

read the full advisory at:
http://www.openssh.com/txt/buffer.adv

This is a follow up advisory to indicate the further fixes have been
made. From the ChangeLog:

- (djm) OpenBSD Sync
- markus@cvs.openbsd.org 2003/09/16 21:02:40
[buffer.c channels.c version.h]
more malloc/fatal fixes; ok millert/deraadt; ghudson at MIT.EDU

(reported on https://bugs.gentoo.org/show_bug.cgi?id=28927 by
Christian Rubbert <ceed@xrc.de>)

SOLUTION

It is recommended that all Gentoo Linux users who are running
net-misc/openssh upgrade to openssh-3.7.1_p1 as follows:

emerge sync
emerge openssh
emerge clean

- - ---------------------------------------------------------------
seemant@gentoo.org - GnuPG key in signature below and on keyservers
vapier@gentoo.org

--
Seemant Kulleen
Developer and Project Co-ordinator,
Gentoo Linux http://dev.gentoo.org/~seemant

Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3458780E
Key fingerprint = 23A9 7CB5 9BBB 4F8D 549B 6593 EDA2 65D8 3458 780E
_________________
"I'm just very selective about the reality I choose to accept." -- Calvin