From owner-freebsd-security  Fri Dec 10 17:28:39 1999
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2])
	by hub.freebsd.org (Postfix) with ESMTP
	id D62CF14D4E; Fri, 10 Dec 1999 17:28:35 -0800 (PST)
	(envelope-from brett@lariat.org)
Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2])
	by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id SAA17246;
	Fri, 10 Dec 1999 18:28:28 -0700 (MST)
Message-Id: <4.2.0.58.19991210182710.03d98d80@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 
Date: Fri, 10 Dec 1999 18:28:19 -0700
To: Kris Kennaway <kris@hub.freebsd.org>, spork <spork@super-g.com>
From: Brett Glass <brett@lariat.org>
Subject: Re: Security Advisory: Buffer overflow in RSAREF2 (fwd)
Cc: Todd Backman <todd@flyingcroc.net>, security@FreeBSD.ORG
In-Reply-To: <Pine.BSF.4.21.9912101650450.35020-100000@hub.freebsd.org>
References: <Pine.BSF.4.00.9912101932300.21197-100000@super-g.inch.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Has the RSAREF port for 2.2.8 been updated?

--Brett

At 05:52 PM 12/10/1999 , Kris Kennaway wrote:
>On Fri, 10 Dec 1999, spork wrote:
>
> > root@ass[/usr/ports/security/rsaref]# ldd /usr/local/bin/ssh
> > /usr/local/bin/ssh:
> >         libgmp.so.3 => /usr/lib/libgmp.so.3 (0x2806d000)
> >         libz.so.2 => /usr/lib/libz.so.2 (0x28083000)
> >         librsaref.so.2 => /usr/local/lib/librsaref.so.2 (0x28090000)
> >         libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x28099000)
> >         libutil.so.2 => /usr/lib/libutil.so.2 (0x280ae000)
> >         libc.so.3 => /usr/lib/libc.so.3 (0x280b6000)        
> > 
> > does this mean that simply patching, recompiling, and installing librsaref
> > will fix ssh (for this vuln, not the last)?  I'm not a genius with all
> > this shared lib stuff, but I think I'm reading this right...
>
>Yes. None of the librsaref code is included in the ssh binary itself,
>which would be the case if it was linked against the static librsaref.a
>(which you wouldn't see in ldd anyway).
>
>Kris
>
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message