[plug] X11 connection rejected with updated ssh

Craig Ringer craig at postnewspapers.com.au
Fri Sep 26 10:03:55 WST 2003 

> You might want to reconsider as I believe that prior to 3.7, there is an
> exploit in the wild for some months and it apparently has been used to
> hack into boxes.  The current pam problems are still theoretical (and
> apply to  only some configurations), and are likely to remain
> theoretical because they have been fixed.  Basicly, if you are not
> running the latest version, you are vulnerable.
> 
> This is one case where waiting for the dust to settle is likely to
> increase your exposure ...

The various linux distributors backport security fixes from the newly 
released "fixed" software into the version they already use. This is to 
assure the user they will _only_ getting the security fix - no nasty 
side effects due to changes between versions.

As such, while openssh portable releases prior to 3.7 may be vunerable, 
this is only true of the "vanilla" openssh - distros may have fixed the 
issue in earlier versions. They may also theoretically backport a 
feature into an older version and bring with it a security hole.

Basically, unless you built it yourself the version number is not enough 
to check the security status of a package. Use the changelog. In the 
case of Woody:

openssh (1:3.4p1-1.woody.3) stable-security; urgency=high

   * NMU by the security team.
   * Apply additional realloc fixes from Solar Designer
   * Apply double-free fix, taken from OpenBSD CVS

  -- Wichert Akkerman <wakkerma at debian.org>  Fri, 19 Sep 2003 08:00:44 +0000

openssh (1:3.4p1-1.woody.2) stable-security; urgency=high

   * NMU by the security team.
   * SECURITY: Additional buffer handling patches from OpenSSH upstream
     (additional patches to buffer.c and new patch to channels.c)
   * Merge upstream patch to ssh-keysign that prevents freed
     memory reuse. Pulls in -1.woody.1

  -- Michael Stone <mstone at debian.org>  Tue, 16 Sep 2003 20:45:35 -0400

openssh (1:3.4p1-1.1) stable-security; urgency=high

   * NMU by the security team.
   * Merge patch from OpenBSD to fix a security problem in buffer handling
     CAN-2003-0693

  -- Wichert Akkerman <wakkerma at debian.org>  Tue, 16 Sep 2003 13:06:31 +0200

(and on it goes....)

Craig Ringer

_______________________________________________
plug mailing list
plug at plug.linux.org.au
http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug

More information about the plug mailing list