Date: Fri, 9 Feb 2001 13:22:11 -0800 (PST) From: Matt Dillon <dillon@earth.backplane.com> To: Alfred Perlstein <bright@wintelcom.net> Cc: green@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: OpenSSH port patch Message-ID: <200102092122.f19LMBh08953@earth.backplane.com> References: <20010209110044.I26076@fw.wintelcom.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I think it's a whole lot better then simply marking the package forbidden! I was actually surprised that the package was marked forbidden, when the fix is only a few minutes of work. -Matt :Please trim CC! : :This removes the 'forbidden' and adds a patch to correct the :hash overflow as suggested by the Bindview audit. : :I'm cc'ing Brian Feldman (green) because he's maintainer, -ports :because I'm not really good at ports and -security so that people :can look this over. : :May I apply this patch? : :Index: Makefile :=================================================================== :RCS file: /home/ncvs/ports/security/openssh/Makefile,v :retrieving revision 1.57 :diff -u -u -r1.57 Makefile :--- Makefile 2001/02/09 04:58:24 1.57 :+++ Makefile 2001/02/09 18:53:06 :@@ -20,8 +20,6 @@ : : .include <bsd.port.pre.mk> : :-FORBIDDEN= "Remote vulnerabilities" :- : CRYPTOLIBS= -L${OPENSSLLIB} -lcrypto : # Here, MANDIR is concetenated to DESTDIR which all forms the man install dir... : MAKE_ENV+= DESTDIR=${PREFIX} MANDIR=/man/man CRYPTOLIBS="${CRYPTOLIBS}" :Index: files/patch-az :=================================================================== :RCS file: patch-az :diff -N patch-az :--- /dev/null Fri Feb 9 10:59:20 2001 :+++ patch-az Fri Feb 9 10:58:58 2001 :@@ -0,0 +1,11 @@ :+--- /home/bright/ssh/ssh/deattack.c Fri Aug 18 19:17:12 2000 :++++ deattack.c Fri Feb 9 10:58:54 2001 :+@@ -84,7 +84,7 @@ :+ detect_attack(unsigned char *buf, u_int32_t len, unsigned char *IV) :+ { :+ static u_int16_t *h = (u_int16_t *) NULL; :+- static u_int16_t n = HASH_MINSIZE / HASH_ENTRYSIZE; :++ static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE; :+ register u_int32_t i, j; :+ u_int32_t l; :+ register unsigned char *c; : :-- :-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] :"I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102092122.f19LMBh08953>