[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

buffer overflow in ssh



As most of you have probably heard by now a buffer overflow has been
found in ssh. To stop us from being flooded with questions here is
some more information: the IBM Emergency Response Team has found a
buffer overflow in the logging code of ssh. It is not known if this
is what was used to break into rootshell on October 28 at this moment.

Prelimenary packages with a fix, based on a patch by Simon Kirby
<sim@netnation.com>, are currently available at two locations:
  http://www.wi.leidenuniv.nl/~wichert/ssh/
  http://amber.deltatee.com/~jgg

Another fix is to add the -q option to sshd, which disables the
logging code in sshd.

Please note that these packages are not official fixes and have not
received enough testing. When the fixed packages are uploaded and
installed we will make a proper announcement.

Wichert.

--
Debian GNU/Linux      .    Security Managers      .   security@debian.org
	      debian-security-announce@lists.debian.org
  Christian Hudon     .     Wichert Akkerman      .     Martin Schulze
<chrish@debian.org>   .   <wakkerma@debian.org>   .   <joey@debian.org>

Attachment: pgpljMwIRLb4T.pgp
Description: PGP signature


Reply to: