SSL Buffer Overflow Vulnerability

Chalonec Roger Chalonec.Roger at pbgc.gov
Thu May 27 15:02:50 UTC 2004 

I performed the check and am running openssh-3.6.1p2-19.  Part of their
report showed:

-------------------------------------------------------------
SSH Servers: TCP:22 - OpenSSH 3.7.0 Buffer Overflow
Risk Level: High 
Description: OpenSSH versions prior to 3.7.1 are vulnerable to buffer
management errors.
How To Fix: 
Upgrade to 3.7.1 or the latest build immediately.
URL1: OpenSSH Advisory  (http://www.openssh.com/txt/buffer.adv)
CVE: CAN-2003-0695 
------------------------------------------------------------------

Another part showed:
----------------------------------------------------
22: SSH - SSH (Secure Shell) Remote Login Protocol
Detected Protocol: SSH
Port State: Open
Version: SSH-1.99-OPENSSH_3.6.1P2
----------------------------------------------------


This was Retina so I guess it was a false positive.  Sorry for the
alarm.

Thanks for your help,

Roger


 3.7.0 and another showed 

-----Original Message-----
From: Doncho N. Gunchev [mailto:mr700 at globalnet.bg] 
Sent: Thursday, May 27, 2004 6:50 AM
To: For users of Fedora Core releases
Cc: Chalonec Roger
Subject: Re: SSL Buffer Overflow Vulnerability


On Thursday 27 May 2004 13:04, Chalonec Roger wrote:
> Our security folks detected an openSSH vulnerability in a fully 
> patched FC1.  They said that it was running version 3.7.0 and needed 
> to go to

    It should not -> in FC1 it's 'rpm -q openssh' =
'openssh-3.6.1p2-19'!

> 3.7.1 .  Should this be the case if FC1 is fully patched?  Can anyone 
> point me to directions on how to upgrade to 3.7.1 or recommend a 
> better openSSH version?

    Better do 'rpm -q openssh --changelog | less' and see if this
vulnerability is patched (you have to ask them exactly what
vulnerability do they have in mind). Many programs report
vulnerabilities based on the program version (not actual check), so I
guess this is the case here. You can see openssh-3.7p1.tar.gz is from
16-Sep-2003 and in the changelog there are buffer overflow fixes from 17
and 18 Sep-2003.

> 
> Thanks,
> 
> Roger

    Check the list, RedHat backports all fixes from the new versions.
This way you don't have all new features (and unknown bugs), but still
have all fixes from the new versions (as someone from RedHat allready
explained).

-- 
Regards,
  Doncho N. Gunchev    Registered Linux User #291323 at counter.li.org
  GPG-Key-ID: 1024D/DA454F79
  Key fingerprint = 684F 688B C508 C609 0371  5E0F A089 CB15 DA45 4F79

More information about the fedora-list mailing list