From owner-freebsd-stable  Fri Mar  8 23: 5:33 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from web13607.mail.yahoo.com (web13607.mail.yahoo.com [216.136.175.118])
	by hub.freebsd.org (Postfix) with SMTP id 1A59A37B402
	for <stable@freebsd.org>; Fri,  8 Mar 2002 23:05:22 -0800 (PST)
Message-ID: <20020309070522.66025.qmail@web13607.mail.yahoo.com>
Received: from [12.225.223.52] by web13607.mail.yahoo.com via HTTP; Fri, 08 Mar 2002 23:05:22 PST
Date: Fri, 8 Mar 2002 23:05:22 -0800 (PST)
From: Bzdik BSD <bzdik@yahoo.com>
Subject: Re: openssh 3.1, more problems? 
To: david raistrick <draistrick@gta.com>, stable@freebsd.org
In-Reply-To: <20020309065423.61758.qmail@web13601.mail.yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG


--- Bzdik BSD <bzdik@yahoo.com> wrote:
 btw, Debians is not patched
> yet
> in spite of announcements.

Oops, my bad:

From:   Michael Stone <mstone@pandora.debian.org>
Subject:        [SECURITY] [DSA 119-1] ssh channel bug
Date:   08 Mar 2002 21:35:16 +0100      

Package: openssh
Vulnerability: local root exploit, remote client exploit
Debian-specific: no

Joost Pol <joost@pine.nl> reports that OpenSSH versions 2.0 through
3.0.2
have an off-by-one bug in the channel allocation code. This
vulnerability
can be exploited by authenticated users to gain root privilege or by a
malicious server exploiting a client with this bug.

Since Debian 2.2 (potato) shipped with OpenSSH (the "ssh" package)
version 1.2.3, it is not vulnerable to this exploit. No fix is required
for Debian 2.2 (potato).

The Debian unstable and testing archives do include a more recent
OpenSSH
(ssh) package. If you are running these pre-release distributions you
should ensure that you are running version 3.0.2p1-8, a patched version
which was added to the unstable archive today, or a later version.


__________________________________________________
Do You Yahoo!?
Try FREE Yahoo! Mail - the world's greatest free email!
http://mail.yahoo.com/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message