Vulnerability Development mailing list archives
Re: SSH 1.2.26 vulnerability real or not?
From: Jan IVEN <jan.iven () CERN CH>
Date: Fri, 18 Aug 2000 11:40:15 +0200
"PM" == Bluefish (P Magnusson) <11a () GMX NET> writes:
PM> I'm curious about an old SSH issue I stumbled accross at PM> http://marc.theaimsgroup.com. It's regarding the old SSH 1.2.26 code. .... PM> Trying to stay away from flaming SSH, but can you really commit a fix and PM> at the same time deny that there is no problem?
From the very same archive you were quoting:
List: freebsd-security Subject: Re: [rootshell] Security Bulletin #25 (fwd) From: Warner Losh <imp () village org> Date: 1998-11-02 22:37:33 Just so everyone knows, this advisory was only a draft advisory and was cancelled over the weekend. I saw the original advisory and checked stuff in based on it, since generally changes like this are good and can't hurt anything. After I checked in the fixes to ssh, I discovered that it had been determined that there was no way of exploiting this buffer call because all the places that called it had bounds checking. Given that the changes I made don't hurt anything, I'm going to leave them in for now.
Regards Jan
Current thread:
- SSH 1.2.26 vulnerability real or not? Bluefish (P.Magnusson) (Aug 17)
- Re: SSH 1.2.26 vulnerability real or not? Jan IVEN (Aug 18)