Subject: Re: [PINE-CERT-20020301] OpenSSH off-by-one
To: Jan Schaumann <jschauma@netbsd.org>
From: Steven M. Bellovin <smb@research.att.com>
List: netbsd-users
Date: 03/07/2002 12:52:52
In message <20020307173813.GD10657@netmeister.org>, Jan Schaumann writes:
>
>
>--LQksG6bCIzRHxTLp
>Content-Type: text/plain; charset=us-ascii
>Content-Disposition: inline
>
>It appears, NetBSD's ssh is affected by this
>(/usr/src/crypto/dist/channels.c)...

http://www.pine.nl/advisories/pine-cert-20020301.txt

Right -- I was about to post that, too.

The problem is that openssh 3.1 will not compile with the version
of openssl in 1.5.2.  Is it safe to install the pkgsrc version on such 
systems?  Will it override properly in the build process?  I think I'm 
going to just apply the one-line patch for now, but that may not be 
feasible for the next hole.

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com