Hi All,
How are you guys handling the SSH vunerability issue?
Have any of you got the 3.3 working on testing/woody?
Anyone tested the newest 3.4?
I've included patches below to solve the problem (courtesy Markus Friedl
[EMAIL PROTECTED]). How soon do you think these patches could be included
in the Debian binaries? This would be a real solution for us ISPs, since
going to 3.3 may not be a pratical option, especially with no compression
and broken PAM support.
> Index: auth2-chall.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v
> retrieving revision 1.18
> diff -u -r1.18 auth2-chall.c
> --- auth2-chall.c 19 Jun 2002 00:27:55 -0000 1.18
> +++ auth2-chall.c 26 Jun 2002 09:37:03 -0000
> @@ -256,6 +256,8 @@
>
> authctxt->postponed = 0; /* reset */
> nresp = packet_get_int();
> + if (nresp > 100)
> + fatal("input_userauth_info_response: nresp too big %u", nresp);
> if (nresp > 0) {
> response = xmalloc(nresp * sizeof(char*));
> for (i = 0; i < nresp; i++)
>
> B:
>
> Index: auth2-pam.c
> ===================================================================
> RCS file: /var/cvs/openssh/auth2-pam.c,v
> retrieving revision 1.12
> diff -u -r1.12 auth2-pam.c
> --- auth2-pam.c 22 Jan 2002 12:43:13 -0000 1.12
> +++ auth2-pam.c 26 Jun 2002 10:12:31 -0000
> @@ -140,6 +140,15 @@
> nresp = packet_get_int(); /* Number of responses. */
> debug("got %d responses", nresp);
>
> +
> + if (nresp != context_pam2.num_expected)
> + fatal("%s: Received incorrect number of responses "
> + "(expected %u, received %u)", __func__, nresp,
> + context_pam2.num_expected);
> +
> + if (nresp > 100)
> + fatal("%s: too many replies", __func__);
> +
> for (i = 0; i < nresp; i++) {
> int j = context_pam2.prompts[i];
>
>
Sincerely,
Jason
http://www.zentek-international.com/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
