RE: SSL Buffer Overflow Vulnerability
From: Chalonec Roger (Chalonec.Roger_at_pbgc.gov)
Date: 05/27/04
- Previous message: Jeremy Brown: "Re: Ex Red Hatter turned to the dark side?"
- Maybe in reply to: Chalonec Roger: "SSL Buffer Overflow Vulnerability"
- Next in thread: Doncho N. Gunchev: "Re: SSL Buffer Overflow Vulnerability"
- Reply: Doncho N. Gunchev: "Re: SSL Buffer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 27 May 2004 11:02:50 -0400 To: <mr700@globalnet.bg>, "For users of Fedora Core releases" <fedora-list@redhat.com>
I performed the check and am running openssh-3.6.1p2-19. Part of their
report showed:
-------------------------------------------------------------
SSH Servers: TCP:22 - OpenSSH 3.7.0 Buffer Overflow
Risk Level: High
Description: OpenSSH versions prior to 3.7.1 are vulnerable to buffer
management errors.
How To Fix:
Upgrade to 3.7.1 or the latest build immediately.
URL1: OpenSSH Advisory (http://www.openssh.com/txt/buffer.adv)
CVE: CAN-2003-0695
------------------------------------------------------------------
Another part showed:
----------------------------------------------------
22: SSH - SSH (Secure Shell) Remote Login Protocol
Detected Protocol: SSH
Port State: Open
Version: SSH-1.99-OPENSSH_3.6.1P2
----------------------------------------------------
This was Retina so I guess it was a false positive. Sorry for the
alarm.
Thanks for your help,
Roger
3.7.0 and another showed
-----Original Message-----
From: Doncho N. Gunchev [mailto:mr700@globalnet.bg]
Sent: Thursday, May 27, 2004 6:50 AM
To: For users of Fedora Core releases
Cc: Chalonec Roger
Subject: Re: SSL Buffer Overflow Vulnerability
On Thursday 27 May 2004 13:04, Chalonec Roger wrote:
> Our security folks detected an openSSH vulnerability in a fully
> patched FC1. They said that it was running version 3.7.0 and needed
> to go to
It should not -> in FC1 it's 'rpm -q openssh' =
'openssh-3.6.1p2-19'!
> 3.7.1 . Should this be the case if FC1 is fully patched? Can anyone
> point me to directions on how to upgrade to 3.7.1 or recommend a
> better openSSH version?
Better do 'rpm -q openssh --changelog | less' and see if this
vulnerability is patched (you have to ask them exactly what
vulnerability do they have in mind). Many programs report
vulnerabilities based on the program version (not actual check), so I
guess this is the case here. You can see openssh-3.7p1.tar.gz is from
16-Sep-2003 and in the changelog there are buffer overflow fixes from 17
and 18 Sep-2003.
>
> Thanks,
>
> Roger
Check the list, RedHat backports all fixes from the new versions.
This way you don't have all new features (and unknown bugs), but still
have all fixes from the new versions (as someone from RedHat allready
explained).
-- Regards, Doncho N. Gunchev Registered Linux User #291323 at counter.li.org GPG-Key-ID: 1024D/DA454F79 Key fingerprint = 684F 688B C508 C609 0371 5E0F A089 CB15 DA45 4F79 -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
- Previous message: Jeremy Brown: "Re: Ex Red Hatter turned to the dark side?"
- Maybe in reply to: Chalonec Roger: "SSL Buffer Overflow Vulnerability"
- Next in thread: Doncho N. Gunchev: "Re: SSL Buffer Overflow Vulnerability"
- Reply: Doncho N. Gunchev: "Re: SSL Buffer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
