Re: RSAREF2 buffer overflow?

To: "Aaron J. Grier" <agrier%poofy.goof.com@localhost>, David Brownlee <abs%netbsd.org@localhost>
Subject: Re: RSAREF2 buffer overflow?
From: Bill Sommerfeld <sommerfeld%orchard.arlington.ma.us@localhost>
Date: Tue, 14 Dec 1999 16:55:35 -0500

Ok, the fix from CERT CA-99-15 is now merged into the appropriate
patch in pkgsrc..

David:

Text for the website:

RSAREF2 Library Buffer Overruns Fixed.

Recently, there have been several buffer overruns discovered in the
RSAREF library.  Shortly after the bugtraq post reporting this problem
was released, the fix supplied in that post was added to pkgsrc.

However, as the CERT advisory CA-99-15 states:

   We believe the patch originally provided by Core SDI in their
   advisory may not be a complete fix to this particular problem.

Correspondingly, the revised fix referenced by the advisory has been
applied to NetBSD's pkgsrc distribution and is present in
pkgsrc/security/rsaref/patch-ah revision 1.3 and later.  NetBSD users
who use packages depending on rsaref should fetch the most recent
pkgsrc bits as soon as practical and rebuild packages, including ssh,
which depend on rsaref.

--- [ end ] ---

Note that the fix won't be available for anonymous download until sup
and anoncvs pull the fix (i'm not sure how frequently this is..)

                                        - Bill

Follow-Ups:
- Re: RSAREF2 buffer overflow?
  - From: David Brownlee

References:
- RSAREF2 buffer overflow?
  - From: Aaron J. Grier

Prev by Date: Re: RSAREF2 buffer overflow?
Next by Date: Re: RSAREF2 buffer overflow?
Previous by Thread: Re: RSAREF2 buffer overflow?
Next by Thread: Re: RSAREF2 buffer overflow?
Indexes:

Home | Main Index | Thread Index | Old Index