Description of Problem: Existing users will gain root privileges. Version-Release number of selected component (if applicable): All versions between 2.0 and 3.0.2 How Reproducible: Steps to Reproduce: 1. 2. 3. Actual Results: Expected Results: Additional Information: http://www.pine.nl/advisories/pine-cert-20020301.txt http://www.openssh.com/ OpenSSH 3.1 released March 7, 2002.
An errata is in the works for this.
This will be RHSA-2002:043 when it's released.
wanted to say thanks for including the red hat linux 6.X patch in the spec file for 3.1p1 - saved our asses on some older machines.
/me hugs nalin. ;)
For anyone rebuilding these rpms on 6.X - the included patch will break ssh-1 connection attempts to a machine running 3.1p1 linked to openssl095a. more information here: http://bugzilla.mindrot.org/show_bug.cgi?id=138 hopefully a patch will be coming soon.
3.1p1 should be rebuilt to include the last patch by Markus Friedl (http://bugzilla.mindrot.org/showattachment.cgi?attach_id=35) that attempts to fix problems with openssl 0.9.5a on RHL 6.2. However there still seem to be some problems even with this patch, so perhaps waiting a couple more days wouldn't hurt. However once it's fixed, please rebuild it :)
http://bugzilla.mindrot.org/showattachment.cgi?attach_id=37 this patch fixes the ssh1 problems for ssh1 and 3des blowfish is still off.