[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#211434: more ssh memory management fun



On Wed, Sep 17, 2003 at 11:43:04PM +0200, Wichert Akkerman wrote:
> Previously Brian Ristuccia wrote:
> > It looks like even after the two updates in the past two days there's still
> > more suspect memory management code in OpenSSH. See yet another OpenSSH
> > security advisory at
> 
> At this point it does not seem that the extra patches fix an exploitable
> bug so we're holding off on putting out yet another advisory.
> 

I can see the security team's desire to avoid posting several potentially
half-baked security fixes in a row for the same package. Now that the dust
has settled, will the security team post updated ssh packages for woody with
all of the buffer management code fixes applied?

Let's be proactive here - memory management bugs always have the potential
to interact in ways we'd never anticipate in order to produce security
problems. Certainly this interaction was true for the first two memory
management issues fixed, which were part of code audited by very qualified
software engineers and determined to have no security issues.

-- 
Brian Ristuccia
brian@ristuccia.com
bristucc@cs.uml.edu




Reply to: