Security Information / 1998 / Security Information -- sshd

Debian Security Advisory

sshd -- buffer overflow in logging

Date Reported:

10 Dec 1998

Affected Packages:

ssh

Vulnerable:

Yes

Security database references:

No other external database security references currently available.

More information:

There has been a lot of confusion over ssh lately: some people think their systems have been hacked through ssh, although nobody has been able to produce an exploit. To avoid any possible problems we have patched ssh to fix any possible buffer overruns. We think this will stop any attack that might be out there. This also includes the fixes to the kerberos code that were distributed.

Please note that this patch does not suffer from the license problems that other patches that have circulated have, since it does not use the vsnprintf implementation from ssh 2 but instead uses the code from sendmail (which was based on code floating around on usenet) for systems that don't have vsnprintf in their libc.

We recommend you upgrade your ssh package immediately.

Fixed in:

All - (in release 2.1) ssh-1.2.26-1.2 All - (in release 2.1) ssh-askpass-1.2.26-1.2