Subject: Re: [PINE-CERT-20020301] OpenSSH off-by-one
To: Brian A. Seklecki <>
From: Steven M. Bellovin <>
List: netbsd-users
Date: 03/07/2002 13:26:58
In message <>, "Brian A. Seklecki
" writes:
>On Thu, 7 Mar 2002, Steven M. Bellovin wrote:
>> In message <>, Jan Schaumann writes:
>> >
>> >
>> >--LQksG6bCIzRHxTLp
>> >Content-Type: text/plain; charset=us-ascii
>> >Content-Disposition: inline
>> >
>> >It appears, NetBSD's ssh is affected by this
>> >(/usr/src/crypto/dist/channels.c)...
>> Right -- I was about to post that, too.
>> The problem is that openssh 3.1 will not compile with the version
>> of openssl in 1.5.2.  Is it safe to install the pkgsrc version on such
>> systems?  Will it override properly in the build process?  I think I'm
>> going to just apply the one-line patch for now, but that may not be
>> feasible for the next hole.
>It just got commited (i imagine the 1-5 branch will be brought up, too).
>I imagine this warrants a security advisory?

Absolutely.  There are several other recent bugtraq postings that also 
merit either advisories or pkgsrc security warnings, such as the buffer 
overflows in cfsd and apache, and the ipsec forwarding problem.

		--Steve Bellovin,
		Full text of "Firewalls" book now at