Subject: Re: RSAREF2 buffer overflow?
To: Aaron J. Grier <>
From: Bill Sommerfeld <>
List: tech-crypto
Date: 12/14/1999 16:55:35
Ok, the fix from CERT CA-99-15 is now merged into the appropriate
patch in pkgsrc..


Text for the website:

RSAREF2 Library Buffer Overruns Fixed.

Recently, there have been several buffer overruns discovered in the
RSAREF library.  Shortly after the bugtraq post reporting this problem
was released, the fix supplied in that post was added to pkgsrc.

However, as the CERT advisory CA-99-15 states:

   We believe the patch originally provided by Core SDI in their
   advisory may not be a complete fix to this particular problem.

Correspondingly, the revised fix referenced by the advisory has been
applied to NetBSD's pkgsrc distribution and is present in
pkgsrc/security/rsaref/patch-ah revision 1.3 and later.  NetBSD users
who use packages depending on rsaref should fetch the most recent
pkgsrc bits as soon as practical and rebuild packages, including ssh,
which depend on rsaref.

--- [ end ] ---

Note that the fix won't be available for anonymous download until sup
and anoncvs pull the fix (i'm not sure how frequently this is..)

					- Bill