Subject: Re: [PINE-CERT-20020301] OpenSSH off-by-one
To: Steven M. Bellovin <>
From: Brian A. Seklecki <>
List: netbsd-users
Date: 03/07/2002 13:23:21
On Thu, 7 Mar 2002, Steven M. Bellovin wrote:

> In message <>, Jan Schaumann writes:
> >
> >
> >--LQksG6bCIzRHxTLp
> >Content-Type: text/plain; charset=us-ascii
> >Content-Disposition: inline
> >
> >It appears, NetBSD's ssh is affected by this
> >(/usr/src/crypto/dist/channels.c)...
> Right -- I was about to post that, too.
> The problem is that openssh 3.1 will not compile with the version
> of openssl in 1.5.2.  Is it safe to install the pkgsrc version on such
> systems?  Will it override properly in the build process?  I think I'm
> going to just apply the one-line patch for now, but that may not be
> feasible for the next hole.

It just got commited (i imagine the 1-5 branch will be brought up, too).
I imagine this warrants a security advisory?


Date: Thu,  7 Mar 2002 18:02:24 +0200 (EET)
From: Matthias Scheler <>
Subject: CVS commit: basesrc/crypto/dist/ssh

Module Name:    basesrc
Committed By:   tron
Date:           Thu Mar  7 16:02:23 UTC 2002

Modified Files:
        basesrc/crypto/dist/ssh: channels.c

Log Message:
Fix off by one error described in "PINE-CERT-20020301" advisory.

To generate a diff of this commit:
cvs rdiff -r1.17 -r1.18 basesrc/crypto/dist/ssh/channels.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


> 		--Steve Bellovin,
> 		Full text of "Firewalls" book now at



"There are only two things infinite:  The universe, and human stupidity.  And I'm not to sure about the first one."  -Albert Einstein