Re[2]: [linux-sec-uk] OpenSSH buffer management error
linux-sec-uk@mailman.lug.org.uk
linux-sec-uk at mailman.lug.org.uk
Tue Sep 16 21:22:01 2003
Hello Dan,
Tuesday, September 16, 2003, 10:27:17 PM, you wrote:
DR> Whilst I'm pretty confident that you're right, how sure are you? Does
DR> the vulnerable point in the code occur after the tcpwrappers check, or
DR> before?
DR> RedHat have a patch out now - but you have to go to updates.redhat.com
DR> to actually get it - it's not hit mirror.ac.uk yet :( Nothing I can see
DR> from debian yet, though.
DR> Dan
DR> On Tue, 2003-09-16 at 20:14, James Fidell wrote:
>> Quoting James Davis (jamesd@jml.net):
>>
>> > Am sure you've already heard of today's announcement of the flaw in
>> > OpenSSH detailed at http://www.openssh.com/txt/buffer.adv but I felt this
>> > affects enough people to justify a posting to this list. Exploits are in
>> > the wild already so upgrade to OpenSSH 3.7 (see your vendor or
>> > openssh.com) or apply the patch provided at OpenSSH.com
>>
>> And if you have lots of servers to sort out and need a quick fix first,
>> blocking untrusted connections with tcpwrappers may be a good option.
>>
>> James
>>
>> _______________________________________________
>> linux-sec-uk mailing list
>> linux-sec-uk@mailman.lug.org.uk
>> http://mailman.lug.org.uk/mailman/listinfo/linux-sec-uk
DR> _______________________________________________
DR> linux-sec-uk mailing list
DR> linux-sec-uk@mailman.lug.org.uk
DR> http://mailman.lug.org.uk/mailman/listinfo/linux-sec-uk
the debian package is out, too.
--
Best regards,
bugtraq mailto:bugtraq@gmb.ro