OpenSSH 3.7 released

Pekka Savola pekkas at
Wed Sep 17 05:49:09 EST 2003

On Tue, 16 Sep 2003, Markus Friedl wrote:
> Security Changes:
> =================
>   All versions of OpenSSH's sshd prior to 3.7 contain a buffer
>   management error.  It is uncertain whether this error is
>   potentially exploitable, however, we prefer to see bugs
>   fixed proactively.
>   OpenSSH 3.7 fixes this bug.

My (very!) quick look at this would seem to indicate that buffer_append() 
is not called with any useful or user-given input before TCP wrappers 
checks are activated.

Has anyone (else) looked into this?

Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

More information about the openssh-unix-dev mailing list