Re[2]: [linux-sec-uk] OpenSSH buffer management error

linux-sec-uk@mailman.lug.org.uk linux-sec-uk at mailman.lug.org.uk
Tue Sep 16 21:22:01 2003


Hello Dan,

Tuesday, September 16, 2003, 10:27:17 PM, you wrote:

DR> Whilst I'm pretty confident that you're right, how sure are you? Does
DR> the vulnerable point in the code occur after the tcpwrappers check, or
DR> before?

DR> RedHat have a patch out now - but you have to go to updates.redhat.com
DR> to actually get it - it's not hit mirror.ac.uk yet :( Nothing I can see
DR> from debian yet, though.

DR> Dan



DR> On Tue, 2003-09-16 at 20:14, James Fidell wrote:
>> Quoting James Davis (jamesd@jml.net):
>> 
>> > Am sure you've already heard of today's announcement of the flaw in
>> > OpenSSH detailed at http://www.openssh.com/txt/buffer.adv but I felt this
>> > affects enough people to justify a posting to this list. Exploits are in
>> > the wild already so upgrade to OpenSSH 3.7 (see your vendor or
>> > openssh.com) or apply the patch provided at OpenSSH.com
>> 
>> And if you have lots of servers to sort out and need a quick fix first,
>> blocking untrusted connections with tcpwrappers may be a good option.
>> 
>> James
>> 
>> _______________________________________________
>> linux-sec-uk mailing list
>> linux-sec-uk@mailman.lug.org.uk
>> http://mailman.lug.org.uk/mailman/listinfo/linux-sec-uk

DR> _______________________________________________
DR> linux-sec-uk mailing list
DR> linux-sec-uk@mailman.lug.org.uk
DR> http://mailman.lug.org.uk/mailman/listinfo/linux-sec-uk

the debian package is out, too.

-- 
Best regards,
 bugtraq                            mailto:bugtraq@gmb.ro