Subject: Re: [PINE-CERT-20020301] OpenSSH off-by-one
To: Steven M. Bellovin <smb@research.att.com>
From: Brian A. Seklecki <lavalamp@spiritual-machines.org>
List: netbsd-users
Date: 03/07/2002 13:23:21
On Thu, 7 Mar 2002, Steven M. Bellovin wrote:

> In message <20020307173813.GD10657@netmeister.org>, Jan Schaumann writes:
> >
> >
> >--LQksG6bCIzRHxTLp
> >Content-Type: text/plain; charset=us-ascii
> >Content-Disposition: inline
> >
> >It appears, NetBSD's ssh is affected by this
> >(/usr/src/crypto/dist/channels.c)...
>
> http://www.pine.nl/advisories/pine-cert-20020301.txt
>
> Right -- I was about to post that, too.
>
> The problem is that openssh 3.1 will not compile with the version
> of openssl in 1.5.2.  Is it safe to install the pkgsrc version on such
> systems?  Will it override properly in the build process?  I think I'm
> going to just apply the one-line patch for now, but that may not be
> feasible for the next hole.

It just got commited (i imagine the 1-5 branch will be brought up, too).
I imagine this warrants a security advisory?

---

Date: Thu,  7 Mar 2002 18:02:24 +0200 (EET)
From: Matthias Scheler <tron@netbsd.org>
To: source-changes@netbsd.org
Subject: CVS commit: basesrc/crypto/dist/ssh


Module Name:    basesrc
Committed By:   tron
Date:           Thu Mar  7 16:02:23 UTC 2002

Modified Files:
        basesrc/crypto/dist/ssh: channels.c

Log Message:
Fix off by one error described in "PINE-CERT-20020301" advisory.


To generate a diff of this commit:
cvs rdiff -r1.17 -r1.18 basesrc/crypto/dist/ssh/channels.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

--

>
> 		--Steve Bellovin, http://www.research.att.com/~smb
> 		Full text of "Firewalls" book now at http://www.wilyhacker.com
>
>

later-
Brian

 ----

"There are only two things infinite:  The universe, and human stupidity.  And I'm not to sure about the first one."  -Albert Einstein