Subject: Re: [PINE-CERT-20020301] OpenSSH off-by-one
To: Steven M. Bellovin <smb@research.att.com>
From: Brian A. Seklecki <lavalamp@spiritual-machines.org>
List: netbsd-users
Date: 03/07/2002 13:23:21
On Thu, 7 Mar 2002, Steven M. Bellovin wrote:
> In message <20020307173813.GD10657@netmeister.org>, Jan Schaumann writes:
> >
> >
> >--LQksG6bCIzRHxTLp
> >Content-Type: text/plain; charset=us-ascii
> >Content-Disposition: inline
> >
> >It appears, NetBSD's ssh is affected by this
> >(/usr/src/crypto/dist/channels.c)...
>
> http://www.pine.nl/advisories/pine-cert-20020301.txt
>
> Right -- I was about to post that, too.
>
> The problem is that openssh 3.1 will not compile with the version
> of openssl in 1.5.2. Is it safe to install the pkgsrc version on such
> systems? Will it override properly in the build process? I think I'm
> going to just apply the one-line patch for now, but that may not be
> feasible for the next hole.
It just got commited (i imagine the 1-5 branch will be brought up, too).
I imagine this warrants a security advisory?
---
Date: Thu, 7 Mar 2002 18:02:24 +0200 (EET)
From: Matthias Scheler <tron@netbsd.org>
To: source-changes@netbsd.org
Subject: CVS commit: basesrc/crypto/dist/ssh
Module Name: basesrc
Committed By: tron
Date: Thu Mar 7 16:02:23 UTC 2002
Modified Files:
basesrc/crypto/dist/ssh: channels.c
Log Message:
Fix off by one error described in "PINE-CERT-20020301" advisory.
To generate a diff of this commit:
cvs rdiff -r1.17 -r1.18 basesrc/crypto/dist/ssh/channels.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
--
>
> --Steve Bellovin, http://www.research.att.com/~smb
> Full text of "Firewalls" book now at http://www.wilyhacker.com
>
>
later-
Brian
----
"There are only two things infinite: The universe, and human stupidity. And I'm not to sure about the first one." -Albert Einstein