- - -
---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200309-12
- - -
---------------------------------------------------------------------

     PACKAGE : openssh
     SUMMARY : buffer management error
      DATE : 2003-09-16 22:53 UTC
     EXPLOIT : remote
VERSIONS AFFECTED : <=openssh-3.7_p1
  FIXED VERSION : >=openssh-3.7.1_p1
       CVE : CAN-2003-0693

- - -
---------------------------------------------------------------------

quote from advisory:

"All versions of OpenSSH's sshd prior to 3.7 contain a buffer management
error.  It is uncertain whether this error is potentially
exploitable,however, we prefer to see bugs fixed proactively."

read the full advisory at:
http://www.openssh.com/txt/buffer.adv

This is a follow up advisory to indicate the further fixes have been
made.  From the ChangeLog:

 - (djm) OpenBSD Sync
    - markus@cvs.openbsd.org 2003/09/16 21:02:40
      [buffer.c channels.c version.h]
      more malloc/fatal fixes; ok millert/deraadt; ghudson at MIT.EDU

(reported on http://bugs.gentoo.org/show_bug.cgi?id=28927 by 
Christian Rubbert <ceed@xrc.de>)

SOLUTION

It is recommended that all Gentoo Linux users who are running
net-misc/openssh upgrade to openssh-3.7.1_p1 as follows:

emerge sync
emerge openssh
emerge clean

- - ---------------------------------------------------------------
seemant@gentoo.org - GnuPG key in signature below and on keyservers
vapier@gentoo.org

-- 
Seemant Kulleen
Developer and Project Co-ordinator,
Gentoo Linux					http://dev.gentoo.org/~seemant

Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3458780E
Key fingerprint = 23A9 7CB5 9BBB 4F8D 549B 6593 EDA2 65D8 3458 780E