On Thursday 27 May 2004 18:02, Chalonec Roger wrote: > I performed the check and am running openssh-3.6.1p2-19. Part of their > report showed: > > ------------------------------------------------------------- > SSH Servers: TCP:22 - OpenSSH 3.7.0 Buffer Overflow > Risk Level: High > Description: OpenSSH versions prior to 3.7.1 are vulnerable to buffer > management errors. > How To Fix: > Upgrade to 3.7.1 or the latest build immediately. > URL1: OpenSSH Advisory (http://www.openssh.com/txt/buffer.adv) > CVE: CAN-2003-0695 > ------------------------------------------------------------------ [root@fc1 root]# rpm -q --changelog openssh | grep -2 'CAN-2003-0695' * Wed Sep 17 2003 Bill Nottingham <notting@xxxxxxxxxx> 3.6.1p1-14 - additional buffer manipulation fixes (CAN-2003-0695) * Wed Sep 17 2003 Daniel Walsh <dwalsh@xxxxxxxxxx> 3.6.1p2-13.sel > > Another part showed: > ---------------------------------------------------- > 22: SSH - SSH (Secure Shell) Remote Login Protocol > Detected Protocol: SSH > Port State: Open > Version: SSH-1.99-OPENSSH_3.6.1P2 > ---------------------------------------------------- > > > This was Retina so I guess it was a false positive. Sorry for the > alarm. No problem, you're welcome :) > > Thanks for your help, > > Roger > > > 3.7.0 and another showed > > -----Original Message----- > From: Doncho N. Gunchev [mailto:mr700@xxxxxxxxxxxx] > Sent: Thursday, May 27, 2004 6:50 AM > To: For users of Fedora Core releases > Cc: Chalonec Roger > Subject: Re: SSL Buffer Overflow Vulnerability > > > On Thursday 27 May 2004 13:04, Chalonec Roger wrote: > > Our security folks detected an openSSH vulnerability in a fully > > patched FC1. They said that it was running version 3.7.0 and needed > > to go to > > It should not -> in FC1 it's 'rpm -q openssh' = > 'openssh-3.6.1p2-19'! > > > 3.7.1 . Should this be the case if FC1 is fully patched? Can anyone > > point me to directions on how to upgrade to 3.7.1 or recommend a > > better openSSH version? > > Better do 'rpm -q openssh --changelog | less' and see if this > vulnerability is patched (you have to ask them exactly what > vulnerability do they have in mind). Many programs report > vulnerabilities based on the program version (not actual check), so I > guess this is the case here. You can see openssh-3.7p1.tar.gz is from > 16-Sep-2003 and in the changelog there are buffer overflow fixes from 17 > and 18 Sep-2003. > > > > > Thanks, > > > > Roger > > Check the list, RedHat backports all fixes from the new versions. > This way you don't have all new features (and unknown bugs), but still > have all fixes from the new versions (as someone from RedHat allready > explained). > > -- > Regards, > Doncho N. Gunchev Registered Linux User #291323 at counter.li.org > GPG-Key-ID: 1024D/DA454F79 > Key fingerprint = 684F 688B C508 C609 0371 5E0F A089 CB15 DA45 4F79 > -- Regards, Doncho N. Gunchev Registered Linux User #291323 at counter.li.org GPG-Key-ID: 1024D/DA454F79 Key fingerprint = 684F 688B C508 C609 0371 5E0F A089 CB15 DA45 4F79
