This weblog is no longer being maintained. All information here has been ported to This site ( remains only for archival purposes.

September 30, 2003

CERT: Clarify Recent Vulnerabilities in OpenSSH

I guess CERT has gotten quite a few inquiries regarding the recent Advisory for OpenSSH issues–CERT has issued an email to clarify exactly what issues there currently may be in installations of OpenSSH in the wild.

In the clarification email the referenced the following vulnerability notes:
VU#333628 - OpenSSH contains buffer management errors
VU#602204 - OpenSSH PAM challenge authentication failure
VU#209807 - Portable OpenSSH server PAM conversion stack corruption

I didn’t notice the email’s info on the CERT front page or the Vulnerability page but the OpenSSH vulnerability advisory (CA-2-2003-24) has been updated with the patch information for OpenSSH 3.7.1p1. For those folks not on the CERT advisory email list, read the extended version of this entry to see the full email.

There followed of course the obligitory PGP

Posted by Eric at September 30, 2003 02:27 AM | TrackBack
Comments & Trackbacks