1 |
- - - |
2 |
--------------------------------------------------------------------- |
3 |
GENTOO LINUX SECURITY ANNOUNCEMENT 200309-12 |
4 |
- - - |
5 |
--------------------------------------------------------------------- |
6 |
|
7 |
PACKAGE : openssh |
8 |
SUMMARY : buffer management error |
9 |
DATE : 2003-09-16 22:53 UTC |
10 |
EXPLOIT : remote |
11 |
VERSIONS AFFECTED : <=openssh-3.7_p1 |
12 |
FIXED VERSION : >=openssh-3.7.1_p1 |
13 |
CVE : CAN-2003-0693 |
14 |
|
15 |
- - - |
16 |
--------------------------------------------------------------------- |
17 |
|
18 |
quote from advisory: |
19 |
|
20 |
"All versions of OpenSSH's sshd prior to 3.7 contain a buffer management |
21 |
error. It is uncertain whether this error is potentially |
22 |
exploitable,however, we prefer to see bugs fixed proactively." |
23 |
|
24 |
read the full advisory at: |
25 |
http://www.openssh.com/txt/buffer.adv |
26 |
|
27 |
This is a follow up advisory to indicate the further fixes have been |
28 |
made. From the ChangeLog: |
29 |
|
30 |
- (djm) OpenBSD Sync |
31 |
- markus@×××××××××××.org 2003/09/16 21:02:40 |
32 |
[buffer.c channels.c version.h] |
33 |
more malloc/fatal fixes; ok millert/deraadt; ghudson at MIT.EDU |
34 |
|
35 |
(reported on http://bugs.gentoo.org/show_bug.cgi?id=28927 by |
36 |
Christian Rubbert <ceed@×××.de>) |
37 |
|
38 |
SOLUTION |
39 |
|
40 |
It is recommended that all Gentoo Linux users who are running |
41 |
net-misc/openssh upgrade to openssh-3.7.1_p1 as follows: |
42 |
|
43 |
emerge sync |
44 |
emerge openssh |
45 |
emerge clean |
46 |
|
47 |
- - --------------------------------------------------------------- |
48 |
seemant@g.o - GnuPG key in signature below and on keyservers |
49 |
vapier@g.o |
50 |
|
51 |
-- |
52 |
Seemant Kulleen |
53 |
Developer and Project Co-ordinator, |
54 |
Gentoo Linux http://dev.gentoo.org/~seemant |
55 |
|
56 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3458780E |
57 |
Key fingerprint = 23A9 7CB5 9BBB 4F8D 549B 6593 EDA2 65D8 3458 780E |