[prev in list] [next in list] [prev in thread] [next in thread]
List: suse-security
Subject: ssh and saint... and popper
From: Gediminas Grigas <gedas () kryptis ! lt>
Date: 2001-02-26 18:43:29
[Download RAW message or body]
Hello,
Saint says:
"ssh versions 1.2.27 and earlier if compiled with the --with-rsaref
option are vulnerable."
...
"This problem can be fixed by upgrading to ssh-1.2.28. If this is
not possible, then install the ssh patch "
Suse has latest patch which produces ssh-1.2.27-209 for SuSE 6.3/6.4
(this version was uploaded 15/Feb or so.)
So i thought it looks like brand new vulnerability...
The only link given to 1.2.28 sources is on ftp://ftp.cs.hut.fi/pub/ssh/
which seems does not allow anonymous users...
I would prefer rpm, becouse i have one machine without any sources
due low HDD space, so it couldnt compile at all - but rpmfind did
not find any 1.2.28.
Oh well i would compile sources on other suse 6.3 machine, only if i
could get them.
So my question would be: is it new ssh bug, and no vendors yet
developed patch, or theres some mess with versions and saint?
Where i could get sources of ssh-1.2.28?
P.S. The saint i downloaded today - so it should be up to date
P.P.S. Saint also finds complains on popper, even althought i patched it
on last suse rpm update (pop-99.11.2-5) it seems provaides qpop 2.53, so i got sources from
eudora.com and upgraded popper to 3.1.2 (what a version jump?!)
QUALCOMM`s note on this:
Security Vulnerability
Some versions of Qpopper are vulnerable to buffer overruns.
Qpopper 2.41 and older can be used to obtain root access to your system.
Qpopper 2.53 and older may permit an attacker who has access to a valid account to obtain a shell
with group-id 'mail', potentially allowing read/write access to all mail.
All users of Qpopper are urged to upgrade to the current version.
:(
Sincerely Yours,
Gediminas Grigas mailto:gedas@kryptis.lt
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic