Mailinglist Archive: opensuse-security (499 mails)

< Previous Next >
Re: [suse-security] OpenSSH 3.0.2p1
  • From: Kevin Ivory <Ivory@xxxxxxxxx>
  • Date: Thu, 20 Jun 2002 12:20:08 +0200
  • Message-id: <E17Kz2m-0007H0-00@xxxxxxxxxxxxxxxx>
James Ogley wrote:
> I'm running SuSE 8.0, with OpenSSH 3.0.2p1-108.
>
> This morning, I did a Nessus scan on one of my boxen at home, which
> reported that this version is vulnerable to the off-by-one hole.
>
> I checked the Security Announcement about this (SuSE-SA:2002:009), but
> this predates 8.0, and refers to fixed versions of 2.9.9.
>
> Is the package of 3.0.2p2 in 8.0 patched to fix this hole as well, thus

I have the same version - it looks like quite a few off-by-one
patches went in:

grep -n off.by.one /usr/share/doc/packages/openssh/ChangeLog
4272: off-by-one when removing a key from the agent
4620: - (djm) Another off-by-one fix from Pavel Kankovsky
4630: - (djm) Security: fix off-by-one buffer overrun in fake-getnameinfo.c.
6882: - Fixed off-by-one error in PAM env patch

Kevin
--
_ | Kevin Ivory | Tel: +49-551-37000041
|_ |\ | | Service Network GmbH | Fax: +49-551-3700009
._|ER | \|ET | Bahnhofsallee 1b | mailto:Ivory@xxxxxxxxx
Service Network | 37081 Goettingen | http://www.SerNet.de/

< Previous Next >
Follow Ups
References