OpenSSH-3.7 released (fixes Buffer Management bug)
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
OpenSSH-3.7 released (fixes Buffer Management bug)
OpenSSH 3.7 released September 16, 2003.
OpenSSH 3.7 and newer are not vulnerable to "September 16, 2003: OpenSSH Buffer Management bug", OpenSSH Security Advisory: http://www.openssh.com/txt/buffer.adv:
Subject: OpenSSH Security Advisory: buffer.adv
This is the 1st revision of the Advisory.
This document can be found at: http://www.openssh.com/txt/buffer.adv
1. Versions affected:
All versions of OpenSSH's sshd prior to 3.7 contain a buffer
management error. It is uncertain whether this error is
potentially exploitable, however, we prefer to see bugs
fixed proactively.
2. Solution:
Upgrade to OpenSSH 3.7 or apply the following patch.
All versions of OpenSSH's sshd prior to 3.7.1 contain buffer
management errors. It is uncertain whether these errors are
potentially exploitable, however, we prefer to see bugs
fixed proactively.
Other implementations sharing common origin may also have
these issues.
2. Solution:
Upgrade to OpenSSH 3.7.1 or apply the following patch.
I believe you need to upgrade all the ssh-related packages, not just ssh itself. Go to: https://rhn.redhat.com/errata/RHSA-2003-279.html and download all the rpms for your specific redhat distro. So you'll need:
Looks like the most recent openSSH patch has a potentially remotely exploitable bug as well. However, only OpenSSH versions 3.7p1 and 3.7.1p1 are vulnerable (patched Redhat versions are alright) and that's only if you have turned on PAM-based authentication. Read the advisory here:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.