Old vulnerability (CAN-2000-0999)

Tim Rice tim at multitalents.net
Wed Nov 10 10:00:53 EST 2004


On Tue, 9 Nov 2004, Darryle Merlette wrote:

> Hi folks,
> When running Foundstone scan against an appliance with
> SSH-1.99-OpenSSH_3.8p1, it flags the following as a high risk
> vulnerability:
> -------------------------
> CVE: CAN-2000-0999
[snip]
>
> Since this vulnerability is so old, and a patch for it has been known to
> exist for almost as long
> (ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch),
> I would conclude that this likely is no longer a problem, and the
> Foundstone scan result is a false positive. However, I've been unable to
> find documented evidence that this has been fixed. Does anyone know for
> sure and/or can point me to the proof?

You can check the CVSWEB at http://cvsweb.mindrot.org/index.cgi/openssh/
That was fixed back in 2.1.1P3

-- 
Tim Rice				Multitalents	(707) 887-1469
tim at multitalents.net





More information about the openssh-unix-dev mailing list