patch your systems - new openssh exploit out

[mbrodeur at NextTime.com (Matt Brodeur)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 17 Sep 2003, Jerry Feldman wrote:

> On Tue, 16 Sep 2003 22:58:37 -0400 Johannes Ullrich 
> <jullrich at euclidian.com> wrote:
> 
> > To make things more interesting, there have been two OpenSSH updates
> > today. The first one, released early morning as 3.7p1 fixed buffer.c.
> > Later (couple hours ago), 3.7.1 was released. According to the notes,
> > it fixes additional issues.
> >
> > I am not sure which version made it into the updates
> > various distros released.
>
>
> According to SuSE, 3.5p1.

   Unfortunately that doesn't mean much in this case.  SuSE, just like Red
Hat and several others, back ports security fixes into older versions of
applications.  For example, Red Hat's OpenSSH update is version 3.5p1-9
and includes the buffer fix from 3.7p1, but not (AFAICT) the fixes from
3.7.1:

$ rpm -qp --changelog openssh-3.5p1-9.i386.rpm | head
* Tue Sep 16 2003 Nalin Dahyabhai <nalin at redhat.com> 3.5p1-9

- - apply patch to store the correct buffer size in allocated buffers
  (CAN-2003-0693)


   With these distributions you have to check the change log, the source
package patches, or the original vendor security advisory to know which
problems are fixed.  The other solution would be to rebuild the latest
version from official OpenSSH sources, which is often what I do anyway.  
IIRC, they include (or provide access to) an RPM .spec file that works
with Red Hat, and probably SuSE or Mandrake with minimal fuss.

- -- 
Matt Brodeur                                                            RHCE
MBrodeur at NextTime.com                                http://www.NextTime.com

It IS as bad as you think, and they ARE out to get you.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/aFmDc8/WFSz+GKMRAoedAJ9q2SbqCKTi71EmseG+VZLeJVCpHwCdFH6E
qmZgxuz8moDsGLJvAPVmUwk=
=sN1W
-----END PGP SIGNATURE-----