[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: OpenSSH Security Advisory: buffer.adv
On Wed, 17 Sep 2003, Darren Reed wrote:
> In some mail from Dries Schellekens, sie said:
> >
> > On Wed, 17 Sep 2003, Markus Friedl wrote:
> >
> > > This is the 2nd revision of the Advisory.
> > >
> > > This document can be found at: http://www.openssh.com/txt/buffer.adv
> > >
> > > 1. Versions affected:
> > >
> > > All versions of OpenSSH's sshd prior to 3.7.1 contain buffer
> > > management errors. It is uncertain whether these errors are
> > > potentially exploitable, however, we prefer to see bugs
> > > fixed proactively.
> > >
> > > Other implementations sharing common origin may also have
> > > these issues.
> >
> > How was the bug discovered? No credits are provided in the advisory.
>
> The only advisory I've seen claim to have "discovered" it has been the
> ISS X-Force one...
Then you have to look harder:
* http://www.openbsd.org/advisories/ssh_afstoken.txt
Credits: Marcell Fodor
* http://www.openbsd.org/advisories/ssh_channelalloc.txt
Credits: Joost Pol
* http://www.openssh.com/txt/preauth.adv
Credits: ISS
If you are subscribed to security-announce@openbsd.org, you'll see Todd
frequently provides credit in his emails.
* http://marc.theaimsgroup.com/?l=openbsd-security-announce&m=106323655917088&w=2
"Thanks to blexim for finding this bug and notifying us."
* http://marc.theaimsgroup.com/?l=openbsd-security-announce&m=106141237515023&w=2
"Credit goes to blexim for finding and reporting the problem."
* http://marc.theaimsgroup.com/?l=openbsd-security-announce&m=106001584530967&w=2
"This is the same bug that was recently found in the wu-ftpd ftpd
server by Janusz Niewiadomski and Janusz Niewiadomski."
I only looked at the emails sent in the last 2 months, because you can see
they DO provide credit.
Darren, next time time check the facts (which took me 10 minutes), before
making wild claims.
Cheers,
Dries
--
Dries Schellekens
email: gwyllion@ulyssis.org