SSL Buffer Overflow Vulnerability

Chris Adams cmadams at hiwaay.net
Wed May 26 17:02:12 UTC 2004


Once upon a time, Chalonec Roger <Chalonec.Roger at pbgc.gov> said:
> Our security folks detected an openSSH vulnerability in a fully patched
> FC1.  They said that it was running version 3.7.0 and needed to go to
> 3.7.1 .  Should this be the case if FC1 is fully patched?  Can anyone
> point me to directions on how to upgrade to 3.7.1 or recommend a better
> openSSH version?

They are most likely just scanning the version and not actually testing
for the vulnerability.

Typically, when a security hole is found, a lot of "stable"
distributions just back-port the fix for that bug into the version they
were already running instead of upgrading the version (which probably
includes lots of other unknown and untested changes).

There are one or two things in updates/testing that are security fixes,
but otherwise AFAIK if you've got everything from updates you shouldn't
have any known holes.

-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.





More information about the fedora-list mailing list