Subject: Re: RSAREF2 buffer overflow?
To: Bill Sommerfeld <firstname.lastname@example.org>
From: David Brownlee <email@example.com>
Date: 12/14/1999 22:05:13
Can we update the rsaref version to rsaref-2.0p3 - that way people
can immediately determine if they are running the latest version
by just running 'pkg_info rsaref'.
On Tue, 14 Dec 1999, Bill Sommerfeld wrote:
> Ok, the fix from CERT CA-99-15 is now merged into the appropriate
> patch in pkgsrc..
> Text for the website:
> RSAREF2 Library Buffer Overruns Fixed.
> Recently, there have been several buffer overruns discovered in the
> RSAREF library. Shortly after the bugtraq post reporting this problem
> was released, the fix supplied in that post was added to pkgsrc.
> However, as the CERT advisory CA-99-15 states:
> We believe the patch originally provided by Core SDI in their
> advisory may not be a complete fix to this particular problem.
> Correspondingly, the revised fix referenced by the advisory has been
> applied to NetBSD's pkgsrc distribution and is present in
> pkgsrc/security/rsaref/patch-ah revision 1.3 and later. NetBSD users
> who use packages depending on rsaref should fetch the most recent
> pkgsrc bits as soon as practical and rebuild packages, including ssh,
> which depend on rsaref.
> --- [ end ] ---
> Note that the fix won't be available for anonymous download until sup
> and anoncvs pull the fix (i'm not sure how frequently this is..)
> - Bill