On Fri, Feb 09, 2001 at 08:14:08PM -0500, Jonathan D. Proulx wrote: > Hi, > > I've only seen one (rather obscure) message to debian lists about this > one, but there are 2 new exploits out for sshd > > this one is not much to loose sleep about as it's rather tricky and > OpenSSH claims that it's not exploitable though they have patched > their source tree as of Jan 29, 2001: > > http://www.securityfocus.com/templates/archive.pike?mid=161150&fromthread=0&end2001-02-10&threads=0&list=1&start=2001-02-04&; > > This one is more worry some as it's a relatively simple buffer > overflow and the debian stable version of OpenSSH *is* vulnerable > (unstable which uses OpenSSH 2.3.0p1 seems OK, but don't take my word > for it): > > http://razor.bindview.com/publish/advisories/adv_ssh1crc.html
there was a ssh update to stable yesterday with the following fixes:
openssh (1:1.2.3-9.2) stable; urgency=high
* Non-maintainer upload by Security Team
* Added backported fix for a buffer overflow (thanks to Piotr
Roszatycki)
* Added modified build dependencies from unstable for convenience
* Added patch that fixes an rsa key exchange problem made public by
CORE SDI.
-- Martin Schulze <[EMAIL PROTECTED]> Thu, 8 Feb 2001 22:15:04 +0100
does that cover it?
--
Ethan Benson
http://www.alaska.net/~erbenson/
pgpYv2AM7C5PS.pgp
Description: PGP signature
