Mailinglist Archive: opensuse-security (499 mails)

< Previous Next >
Re: [suse-security] OpenSSH 3.0.2p1
  • From: Ben Rosenberg <ben@xxxxxxxxx>
  • Date: Thu, 20 Jun 2002 10:57:03 -0700
  • Message-id: <20020620175703.GA11748@xxxxxxxxx>
SuSE patches the existing version with a release as not to break deps
within the system. So if 8.0 comes with 3.0.2p1 then it has been patched
and if another exploit comes up..then that same version number will be
patched.

* Kevin Ivory (Ivory@xxxxxxxxx) [020620 03:26]:
::James Ogley wrote:
::> I'm running SuSE 8.0, with OpenSSH 3.0.2p1-108.
::>
::> This morning, I did a Nessus scan on one of my boxen at home, which
::> reported that this version is vulnerable to the off-by-one hole.
::>
::> I checked the Security Announcement about this (SuSE-SA:2002:009), but
::> this predates 8.0, and refers to fixed versions of 2.9.9.
::>
::> Is the package of 3.0.2p2 in 8.0 patched to fix this hole as well, thus
::
::I have the same version - it looks like quite a few off-by-one
::patches went in:
::
::grep -n off.by.one /usr/share/doc/packages/openssh/ChangeLog
::4272: off-by-one when removing a key from the agent
::4620: - (djm) Another off-by-one fix from Pavel Kankovsky
::4630: - (djm) Security: fix off-by-one buffer overrun in fake-getnameinfo.c.
::6882: - Fixed off-by-one error in PAM env patch

-=Ben

--=====-----=====--
mailto:ben@xxxxxxxxx
--=====--
Tell me what you believe..I tell you what you should see. -DP
--=====-----=====--

< Previous Next >