>Number:         19130
>Category:       pkg
>Synopsis:       bogus vulnerability listed in audit-packages for ssh-1.2.27nb2
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Nov 22 02:17:00 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:     Tom Spindler
>Release:        NetBSD 1.6_STABLE
>Organization:
	
>Environment:
	
	
System: NetBSD beefcake.babymeat.com 1.6_STABLE NetBSD 1.6_STABLE (BEEFCAKE) #2: Sun Nov 17 23:29:44 PST 2002 dogcow@beefcake.babymeat.com:/media/src/src/sys/arch/i386/compile/BEEFCAKE i386
Architecture: i386
Machine: i386
>Description:
audit-packages's vulnerabilities file has the following line:
ssh<=1.2.31             remote-root-shell       http://razor.bindview.com/publish/advisories/adv_ssh1crc.html

which causes it to emit a remote-root-shell vulnerability warning for
pkgsrc/security/ssh/.

However, the advisory cited says that the vulnerability is eliminated
if one makes a word16 -> word32 decl change - precisely that which is
in patches/patch-ca.

There may well be other vulnerabilities in this package, but it's not
the one given by the URL.
	
>How-To-Repeat:
	
install ssh, install audit-packages, run audit-packages.
>Fix:
	
Either correct the URL to the correct security advisory, or remove the
vulnerability from the 'vulerabilities' file.

>Release-Note:
>Audit-Trail:
>Unformatted: