Subject: Re: [PINE-CERT-20020301] OpenSSH off-by-one
To: Brian A. Seklecki <lavalamp@spiritual-machines.org>
From: Steven M. Bellovin <smb@research.att.com>
List: tech-security
Date: 03/07/2002 13:26:58
In message <20020307131056.B43021-100000@digitalfreaks.org>, "Brian A. Seklecki
" writes:
>On Thu, 7 Mar 2002, Steven M. Bellovin wrote:
>
>> In message <20020307173813.GD10657@netmeister.org>, Jan Schaumann writes:
>> >
>> >
>> >--LQksG6bCIzRHxTLp
>> >Content-Type: text/plain; charset=us-ascii
>> >Content-Disposition: inline
>> >
>> >It appears, NetBSD's ssh is affected by this
>> >(/usr/src/crypto/dist/channels.c)...
>>
>> http://www.pine.nl/advisories/pine-cert-20020301.txt
>>
>> Right -- I was about to post that, too.
>>
>> The problem is that openssh 3.1 will not compile with the version
>> of openssl in 1.5.2. Is it safe to install the pkgsrc version on such
>> systems? Will it override properly in the build process? I think I'm
>> going to just apply the one-line patch for now, but that may not be
>> feasible for the next hole.
>
>It just got commited (i imagine the 1-5 branch will be brought up, too).
>I imagine this warrants a security advisory?
>
Absolutely. There are several other recent bugtraq postings that also
merit either advisories or pkgsrc security warnings, such as the buffer
overflows in cfsd and apache, and the ipsec forwarding problem.
--Steve Bellovin, http://www.research.att.com/~smb
Full text of "Firewalls" book now at http://www.wilyhacker.com