Re: SSL Buffer Overflow Vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thursday 27 May 2004 13:04, Chalonec Roger wrote:
> Our security folks detected an openSSH vulnerability in a fully patched
> FC1.  They said that it was running version 3.7.0 and needed to go to

    It should not -> in FC1 it's 'rpm -q openssh' = 'openssh-3.6.1p2-19'!

> 3.7.1 .  Should this be the case if FC1 is fully patched?  Can anyone
> point me to directions on how to upgrade to 3.7.1 or recommend a better
> openSSH version?

    Better do 'rpm -q openssh --changelog | less' and see if this
vulnerability is patched (you have to ask them exactly what vulnerability
do they have in mind). Many programs report vulnerabilities based on the
program version (not actual check), so I guess this is the case here. You
can see openssh-3.7p1.tar.gz is from 16-Sep-2003 and in the changelog
there are buffer overflow fixes from 17 and 18 Sep-2003.

> 
> Thanks,
> 
> Roger

    Check the list, RedHat backports all fixes from the new versions. This
way you don't have all new features (and unknown bugs), but still have all
fixes from the new versions (as someone from RedHat allready explained).

-- 
Regards,
  Doncho N. Gunchev    Registered Linux User #291323 at counter.li.org
  GPG-Key-ID: 1024D/DA454F79
  Key fingerprint = 684F 688B C508 C609 0371  5E0F A089 CB15 DA45 4F79



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux