From owner-freebsd-security  Sun Nov 14 19:55:47 1999
Delivered-To: freebsd-security@freebsd.org
Received: from sand2.sentex.ca (sand2.sentex.ca [209.167.248.3])
	by hub.freebsd.org (Postfix) with ESMTP id 85D4414D45
	for <freebsd-security@FreeBSD.ORG>; Sun, 14 Nov 1999 19:55:42 -0800 (PST)
	(envelope-from mike@sentex.net)
Received: from gravel (ospf-mdt.sentex.net [205.211.164.81])
	by sand2.sentex.ca (8.8.8/8.8.8) with SMTP id WAA26927
	for <freebsd-security@FreeBSD.ORG>; Sun, 14 Nov 1999 22:55:40 -0500 (EST)
	(envelope-from mike@sentex.net)
Message-Id: <4.1.19991114225545.04626d60@granite.sentex.ca>
X-Sender: mdtancsa@granite.sentex.ca
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 
Date: Sun, 14 Nov 1999 22:56:40 -0500
To: freebsd-security@FreeBSD.ORG
From: Mike Tancsa <mike@sentex.net>
Subject: ssh-1.2.27 remote buffer overflow - work around ??
In-Reply-To: <19991114165649.A95613@osaka.louisville.edu>
References: <4.1.19991114153939.046249a0@granite.sentex.ca>
 <4.1.19991114000355.04d7f230@granite.sentex.ca>
 <Pine.BSF.3.96.991114133831.48981B-100000@fledge.watson.org >
 <4.1.19991114153939.046249a0@granite.sentex.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 04:56 PM 11/14/99 , Keith Stevenson wrote:
>On Sun, Nov 14, 1999 at 03:46:00PM -0500, Mike Tancsa wrote:
>> 
>> I am not so worried at this point about kerb integration, as I dont use it.
>> What I am worried about is remote root exploitation.... Or am I missing
>> something in the bugtraq post ? The poster indicates remote root
>> exploitation is difficult, but possible in
>> http://www.freebsd.org/cgi/query-pr.cgi?pr=14749
>> I have cc'd the official maintainer.  Perhaps he could comment ?
>
>I get the impression from the Bugtraq post that only SSH linked against
>RSAREF is vulnerable.  Pity that those of us in the US are required to use 
>the buggy code.


Actually, in this case, will USA_RESIDENT=NO in the make file then get
around this problem ?

	---Mike
**********************************************************************
Mike Tancsa, Network Admin        *  mike@sentex.net
Sentex Communications Corp,       *  http://www.sentex.net/mike
Cambridge, Ontario                *  01.519.651.3400
Canada                            *


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message