A bug has been found in the buffer code in OpenSSH. It is not yet clear if this could be exploited by an attacker but several possible attack vectors are under evaluation. A patch from the OpenBSD team is available. RHSA-2003:279 in progress.
*** Bug 104495 has been marked as a duplicate of this bug. ***
Have y'all patched anything else that was not included in this patch: http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssh/buffer.c.diff?r1=1.1.1.6&r2=1.1.1.7&f=u ? Just trying to find out if pushing what I have is sufficient or if there is something else announced privately that I'm missing. thanks
According to a message posted to openbsd-misc by Markus Friedl <markus> that's enough: <http://marc.theaimsgroup.com/?l=openbsd-misc&m=106371592604940&w=2>
Created attachment 94524 [details] patch for openssh 3.1 systems like rhl 7.X patch for openssh 3.1 systems like rhl 7.x - the provided patch from friedl just needed a little modfication. I know something like this will be in red hat's errata but can't hurt to add it here for others.
An errata has been issued which should help the problem described in the above bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2003-279.htm
Mark - your link is bad. Error 404.
Missing l http://rhn.redhat.com/errata/RHSA-2003-279.html
Are you aware that openssh have revised their advisory and released 3.7.1 - it looks like they are fixing the problem in more cases.
See bug 104551 for these additional issues.