On Fri, Feb 09, 2001 at 08:14:08PM -0500, Jonathan D. Proulx wrote:
> Hi,
>
> I've only seen one (rather obscure) message to debian lists about this
> one, but there are 2 new exploits out for sshd
>
> this one is not much to loose sleep about as it's rather tricky and
> OpenSSH claims that it's not exploitable though they have patched
> their source tree as of Jan 29, 2001:
>
> http://www.securityfocus.com/templates/archive.pike?mid=161150&fromthread=0&end2001-02-10&threads=0&list=1&start=2001-02-04&;
>
> This one is more worry some as it's a relatively simple buffer
> overflow and the debian stable version of OpenSSH *is* vulnerable
> (unstable which uses OpenSSH 2.3.0p1 seems OK, but don't take my word
> for it):
>
> http://razor.bindview.com/publish/advisories/adv_ssh1crc.html
there was a ssh update to stable yesterday with the following fixes:
openssh (1:1.2.3-9.2) stable; urgency=high
* Non-maintainer upload by Security Team
* Added backported fix for a buffer overflow (thanks to Piotr
Roszatycki)
* Added modified build dependencies from unstable for convenience
* Added patch that fixes an rsa key exchange problem made public by
CORE SDI.
-- Martin Schulze <joey@debian.org> Thu, 8 Feb 2001 22:15:04 +0100
does that cover it?
--
Ethan Benson
http://www.alaska.net/~erbenson/
Attachment:
pgpV5uD15KVC2.pgp
Description: PGP signature