[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#211351: marked as done (ssh: Security - DSA-382-1 is based on 1st (obsolete revision) of OpenSSH Security advisory)

Your message dated Wed, 17 Sep 2003 12:38:43 +0100
with message-id <20030917113843.GB11545@riva.ucam.org>
and subject line Bug#211351: ssh: Security - DSA-382-1 is based on 1st (obsolete revision) of OpenSSH Security advisory
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 17 Sep 2003 09:05:33 +0000
>From scorpius@aqua.aspd.pwr.wroc.pl Wed Sep 17 04:05:30 2003
Return-path: <scorpius@aqua.aspd.pwr.wroc.pl>
Received: from aqua.aspd.pwr.wroc.pl [156.17.17.24] 
	by master.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 19zYFe-0001bg-00; Wed, 17 Sep 2003 04:05:30 -0500
Received: by aqua.aspd.pwr.wroc.pl (Postfix, from userid 1002)
	id AF32926414; Wed, 17 Sep 2003 11:05:29 +0200 (CEST)
From: Dariusz Puchalak <scorpius@aqua.aspd.pwr.wroc.pl>
Subject: ssh: Security - DSA-382-1 is based on 1st (obsolete revision) of OpenSSH Security advisory
To: submit@bugs.debian.org
X-Mailer: bug 3.3.10.1
Message-Id: <[🔎] 20030917090529.AF32926414@aqua.aspd.pwr.wroc.pl>
Date: Wed, 17 Sep 2003 11:05:29 +0200 (CEST)
Delivered-To: submit@bugs.debian.org
X-Spam-Status: No, hits=-5.0 required=4.0
	tests=HAS_PACKAGE
	version=2.53-bugs.debian.org_2003_9_16
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_9_16 (1.174.2.15-2003-03-30-exp)

Package: ssh
Version: 1:3.4p1-1.1
Severity: critical

Security pacth is based on 1st revision of OpenSSH Security Advisory: buffer.adv
Now, 2nd version is available see: http://www.openssh.com/txt/buffer.adv

According to this advisory Debian package SSH 1:3.4p1-1.1 is still vulnerable.

And there are rumours about exploit floating in underground.
See: http://lists.netsys.com/pipermail/full-disclosure/2003-September/010116.html


-- System Information
Debian Release: 3.0
Kernel Version: Linux aqua 2.4.22 #1 Tue Aug 26 18:51:45 CEST 2003 i686 unknown

Versions of the packages ssh depends on:
ii  adduser        3.47           Add and remove users and groups
ii  debconf        1.0.32         Debian configuration management system
ii  libc6          2.2.5-11.5     GNU C Library: Shared libraries and Timezone
ii  libpam-modules 0.72-35        Pluggable Authentication Modules for PAM
ii  libpam0g       0.72-35        Pluggable Authentication Modules library
ii  libssl0.9.6    0.9.6c-2.woody SSL shared libraries
ii  libwrap0       7.6-9          Wietse Venema's TCP wrappers library
ii  zlib1g         1.1.4-1        compression library - runtime

---------------------------------------
Received: (at 211351-done) by bugs.debian.org; 17 Sep 2003 11:38:47 +0000
>From cjwatson@flatline.org.uk Wed Sep 17 06:38:44 2003
Return-path: <cjwatson@flatline.org.uk>
Received: from protactinium.btinternet.com [194.73.73.176] 
	by master.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 19zadw-0005ku-00; Wed, 17 Sep 2003 06:38:44 -0500
Received: from host81-129-36-235.in-addr.btopenworld.com ([81.129.36.235] helo=riva.lab.dotat.at)
	by protactinium.btinternet.com with esmtp (Exim 3.22 #23)
	id 19zadv-0005FH-00
	for 211351-done@bugs.debian.org; Wed, 17 Sep 2003 12:38:43 +0100
Received: from cjwatson by riva.lab.dotat.at with local (Exim 3.35 #1 (Debian))
	for 211351-done@bugs.debian.org
	id 19zadv-00030g-00; Wed, 17 Sep 2003 12:38:43 +0100
Date: Wed, 17 Sep 2003 12:38:43 +0100
From: Colin Watson <cjwatson@debian.org>
To: 211351-done@bugs.debian.org
Subject: Re: Bug#211351: ssh: Security - DSA-382-1 is based on 1st (obsolete revision) of OpenSSH Security advisory
Message-ID: <20030917113843.GB11545@riva.ucam.org>
References: <[🔎] 20030917090529.AF32926414@aqua.aspd.pwr.wroc.pl>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[🔎] 20030917090529.AF32926414@aqua.aspd.pwr.wroc.pl>
User-Agent: Mutt/1.3.28i
Delivered-To: 211351-done@bugs.debian.org
X-Spam-Status: No, hits=-5.7 required=4.0
	tests=EMAIL_ATTRIBUTION,QUOTED_EMAIL_TEXT
	version=2.53-bugs.debian.org_2003_9_16
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_9_16 (1.174.2.15-2003-03-30-exp)

On Wed, Sep 17, 2003 at 11:05:29AM +0200, Dariusz Puchalak wrote:
> Package: ssh
> Version: 1:3.4p1-1.1
> Severity: critical
> 
> Security pacth is based on 1st revision of OpenSSH Security Advisory:
> buffer.adv Now, 2nd version is available see:
> http://www.openssh.com/txt/buffer.adv
> 
> According to this advisory Debian package SSH 1:3.4p1-1.1 is still
> vulnerable.

A new security update has been released, 1:3.4p1-1.woody.2. 1:3.6.1p2-8
is the corresponding fix for unstable.

Cheers,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]
Reply to: