|Summary:||CAN-2003-0695 Additional OpenSSH security fixes|
|Product:||[Retired] Red Hat Linux||Reporter:||William Hooper <redhat>|
|Component:||openssh||Assignee:||Nalin Dahyabhai <nalin>|
|Status:||CLOSED ERRATA||QA Contact:||Brian Brock <bbrock>|
|Version:||9||CC:||barryn, csbebeau-keyword-redhatbugs.7ebe2b, kamo, k.georgiou, link, m.a.young, me, michael, pnasrat, u2561633|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2003-09-18 10:07:05 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description William Hooper 2003-09-17 01:44:22 UTC
Description of problem: It looks like more issues were found after the release of OpenSSH 3.7 (and RHSA- 2003:279). Quote: Security Changes: ================= All versions of OpenSSH's sshd prior to 3.7.1 contain buffer management errors. It is uncertain whether these errors are potentially exploitable, however, we prefer to see bugs fixed proactively. OpenSSH 3.7 fixed one of these bugs. OpenSSH 3.7.1 fixes more similar bugs. Version-Release number of selected component (if applicable):
Comment 1 Seth Vidal 2003-09-17 04:57:07 UTC
http://www.openssh.com/txt/buffer.adv the first patch listed here is needed for the packages in rhl 7.x, 8.0 and 9. At the time the patched packages were pushed from red hat today the above patch wasn't out yet. I've just built some packages with the above patch applied, they appear to check out normally in my rudimentary QA. I'd attach a src.rpm but the change is trivial
Comment 2 Seth Vidal 2003-09-17 06:28:01 UTC
Created attachment 94548 [details] patch for 7.x building This is the modifications to the new patches from the advisories for rhl 7.x systems. I've tested this on 7.3. It should work on 7.2 and 7.1. packages built and tested from this appear to be happy.
Comment 3 Mark J. Cox 2003-09-17 07:55:58 UTC
I've allocated CAN-2003-0695 to these additional fixes and we're working on updating our package sets.
Comment 4 Mark J. Cox 2003-09-17 15:45:58 UTC
*** Bug 104573 has been marked as a duplicate of this bug. ***
Comment 5 Barry K. Nathan 2003-09-17 18:26:35 UTC
http://www.openpkg.org/security/OpenPKG-SA-2003.040-openssh.html This page claims there are *four* more OpenSSH holes (and claims to have corrected packages).
Comment 6 Barry K. Nathan 2003-09-17 18:46:41 UTC
Following up on my previous comment, another patch; I'm guessing it applies to OpenSSH 3.7.1p1 but I haven't tried applying it yet: http://cvs.openpkg.org/chngview?cn=12268 I think other branches of OpenPKG CVS have patches against older OpenSSH versions.
Comment 7 Seth Vidal 2003-09-17 22:35:11 UTC
Just a note: Wanted to thank the red hat security/openssh people for getting to this so quickly. If you find your way near duke univ I'll be glad to buy you all a $beverage.