From owner-freebsd-security  Sun Nov 14 14: 5:53 1999
Delivered-To: freebsd-security@freebsd.org
Received: from sand2.sentex.ca (sand2.sentex.ca [209.167.248.3])
	by hub.freebsd.org (Postfix) with ESMTP id A79C514D04
	for <freebsd-security@FreeBSD.ORG>; Sun, 14 Nov 1999 14:05:48 -0800 (PST)
	(envelope-from mike@sentex.net)
Received: from gravel (ospf-mdt.sentex.net [205.211.164.81])
	by sand2.sentex.ca (8.8.8/8.8.8) with SMTP id RAA24712;
	Sun, 14 Nov 1999 17:05:43 -0500 (EST)
	(envelope-from mike@sentex.net)
Message-Id: <4.1.19991114170427.0480a7b0@granite.sentex.ca>
X-Sender: mdtancsa@granite.sentex.ca
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 
Date: Sun, 14 Nov 1999 17:06:41 -0500
To: Keith Stevenson <k.stevenson@louisville.edu>,
	freebsd-security@FreeBSD.ORG
From: Mike Tancsa <mike@sentex.net>
Subject: Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7)
In-Reply-To: <19991114165943.B95613@osaka.louisville.edu>
References: <19991114165649.A95613@osaka.louisville.edu>
 <4.1.19991114000355.04d7f230@granite.sentex.ca>
 <Pine.BSF.3.96.991114133831.48981B-100000@fledge.watson.org <4.1.19991114153939.046249a0@granite.sentex.ca>
 <19991114165649.A95613@osaka.louisville.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 04:59 PM 11/14/99 , Keith Stevenson wrote:
>On Sun, Nov 14, 1999 at 04:56:49PM -0500, Keith Stevenson wrote:
>> 
>> I get the impression from the Bugtraq post that only SSH linked against
>> RSAREF is vulnerable.  Pity that those of us in the US are required to use 
>> the buggy code.
>
>(Replying to myself)
>
>Oops.  I think I gave the wrong impression.  As I understand it the bug is
>in the interaction between SSH 1.2.27 and the library call to RSAREF.  The
>combination is buggy, not RSAREF.

For the Canada and the USA, this is the default install combination no ?  I
guess a lot of sites will need to be patched out there :-(

	---Mike
**********************************************************************
Mike Tancsa, Network Admin        *  mike@sentex.net
Sentex Communications Corp,       *  http://www.sentex.net/mike
Cambridge, Ontario                *  01.519.651.3400
Canada                            *


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message