[olug] Another (!!) OpenSSH update...

Daniel G. Linder dlinder at iprevolution.net
Thu Sep 18 17:52:59 UTC 2003


I wrote:
> Just read this on Slashdot...  The first OpenSSH patch that
> we all heard about yesterday (openssh-3.7p1) didn't fix all
> the buffer overflow problems, so they issued a 3.7.1 version.

> "Brian Roberson" <roberson at olug.org> wrote:
> > More detail and a link specific to what you are talking 
> > about would be nice;
> > is this only redhat? all openssh installs? what? ...... 
> > security minded
> > posts are not a thing to cry wolf over - BE DETAILED, give 
> > resources, or dont post.

Sorry, I thought all that information would be fresh in most everyone's
minds so I didn't re-hash the www.openssh.org site and/or track down the
exact CERT numbers again.

To which Jeff Hinrichs [mailto:jlh at cox.net] replied:
>  SSH security glitch exposes networks , 9/17/03 5amPT
>   http://zdnet.com.com/2100-1105_2-5077796.html?tag=zdnnfd.main
> 
>  Subject: OpenSSH Security Advisory: buffer.adv
> This is the 2nd revision of the Advisory.
> http://www.openssh.com/txt/buffer.adv
> 
> CERT Advisory CA-2003-24 Buffer Management Vulnerability in OpenSSH
> http://www.cert.org/advisories/CA-2003-24.html
> 
> patch early, patch often
> -Jeff

Thanks for the update, Jeff.  I hope the rumors of a third patch set
going out are just that (unless, of course, they are required).

Dan


More information about the OLUG mailing list