Re: Disregard the sshd announcement....

[Steven Pritchard <steve@silug.org>]

Mike Connor said:
> Some !@#$ posted a bulletin from IBM that IBM canceled on Nov 1.  Sorry 
> about that . . .

I think IBM pulled that because they couldn't prove it, and the people
who make ssh were swearing up & down that there was no hole.

Personally, I don't buy it for a minute.

I did a little looking through the ssh code...  There are a *lot* of
potential buffer overruns.  Like the IBM advisory said, there is heavy
use of vsprintf and sprintf in the code.  Maybe all of those calls are
safe, but I honestly doubt it.

I converted as many of the *sprintf calls to *snprintf as I could.
The patch (against 1.2.26) is at

    ftp://ftp.silug.org/pub/steve/ssh/

There's also an updated spec for the ssh rpm from replay.  (If not for
these stupid encryption laws, I'd just put new source & binary rpms on
there.  As it is, just grab the source rpm from

    ftp://ftp.replay.com/pub/crypto/redhat/SRPMS/

install it with "rpm -ivh", then copy the patch to
/usr/src/redhat/SOURCES/ and rebuild the rpm with "rpm -ba
ssh-1.2.26i.spec" (the new spec, of course).)

Let's hope the GNU ssh replacement gets somewhere soon.  (Anybody
remember what the URL to it is?)

Steve
-- 
steve@silug.org           | Linux Users of Central Illinois
(217)698-1694             | Meetings the 4th Tuesday of every month
Steven Pritchard          | http://www.luci.org/ for more info

--
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.