Re: SSH 1.2.26 vulnerability real or not?

[Jan IVEN <jan.iven () CERN CH>]

> > > > > "PM" == Bluefish (P Magnusson) <11a () GMX NET> writes:

 PM> I'm curious about an old SSH issue I stumbled accross at
 PM> http://marc.theaimsgroup.com. It's regarding the old SSH 1.2.26 code.
....
 PM> Trying to stay away from flaming SSH, but can you really commit a fix and
 PM> at the same time deny that there is no problem?

> From the very same archive you were quoting:

> List: freebsd-security
> Subject: Re: [rootshell] Security Bulletin #25 (fwd)
> From: Warner Losh <imp () village org>
> Date: 1998-11-02 22:37:33
>
> Just so everyone knows, this advisory was only a draft advisory and
> was cancelled over the weekend.  I saw the original advisory and
> checked stuff in based on it, since generally changes like this are
> good and can't hurt anything.  After I checked in the fixes to ssh, I
> discovered that it had been determined that there was no way of
> exploiting this buffer call because all the places that called it had
> bounds checking.
>
> Given that the changes I made don't hurt anything, I'm going to leave
> them in for now.

Regards
Jan