From owner-freebsd-security@FreeBSD.ORG  Tue Sep 16 07:55:28 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AF0CF16A4B3
	for <freebsd-security@freebsd.org>;
	Tue, 16 Sep 2003 07:55:28 -0700 (PDT)
Received: from gw.celabo.org (gw.celabo.org [208.42.49.153])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DE23B43FB1
	for <freebsd-security@freebsd.org>;
	Tue, 16 Sep 2003 07:55:26 -0700 (PDT)
	(envelope-from nectar@celabo.org)
Received: from madman.celabo.org (madman.celabo.org [10.0.1.111])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK))
	by gw.celabo.org (Postfix) with ESMTP
	id 5B5F35485D; Tue, 16 Sep 2003 09:55:26 -0500 (CDT)
Received: by madman.celabo.org (Postfix, from userid 1001)
	id F33C06D454; Tue, 16 Sep 2003 09:55:25 -0500 (CDT)
Date: Tue, 16 Sep 2003 09:55:25 -0500
From: "Jacques A. Vidrine" <nectar@FreeBSD.org>
To: Mitch Collinsworth <mitch@ccmr.cornell.edu>
Message-ID: <20030916145525.GB90755@madman.celabo.org>
Mail-Followup-To: "Jacques A. Vidrine" <nectar@FreeBSD.org>,
	Mitch Collinsworth <mitch@ccmr.cornell.edu>,
	freebsd-security@freebsd.org
References: <20030916134347.GA30359@madman.celabo.org>
	<Pine.LNX.4.58.0309161046030.11275@ori.ccmr.cornell.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.58.0309161046030.11275@ori.ccmr.cornell.edu>
X-Url: http://www.celabo.org/
User-Agent: Mutt/1.5.4i-ja.1
cc: freebsd-security@freebsd.org
Subject: Re: OpenSSH heads-up
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Sep 2003 14:55:28 -0000

On Tue, Sep 16, 2003 at 10:47:28AM -0400, Mitch Collinsworth wrote:
> Is this advisory available anywhere else?  I'm continually getting
> server timeout when trying to load this URL.  Meanwhile www.openssh.org
> doesn't seem to have any mention of the advisory.  [?]

It loads for me sometimes only.  It is supposed to be at
<URL:http://www.openssh.com/txt/buffer.adv>, but it isn't there yet.

Here's the meat of it:

---- begin excerpt ----
 This is the 1st revision of the Advisory.

 This document can be found at:  http://www.openssh.com/txt/buffer.adv

 1. Versions affected:

        All versions of OpenSSH's sshd prior to 3.7 contain a buffer
        management error.  It is uncertain whether this error is
        potentially exploitable, however, we prefer to see bugs
        fixed proactively.

 2. Solution:

        Upgrade to OpenSSH 3.7 or apply the following patch.
---- end excerpt ----

Cheers,
-- 
Jacques Vidrine   . NTT/Verio SME      . FreeBSD UNIX       . Heimdal
nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se