Release Engineering Status Report

Tue Sep 16 13:12:15 PDT 2003

On Tue, 16 Sep 2003, Kris Kennaway wrote:

> On Tue, Sep 16, 2003 at 02:16:17PM -0500, Craig Boston wrote:
> > On Tuesday 16 September 2003 12:14 pm, Ruben de Groot wrote:
> > > Fortunately, there's allready a patch in the source tree:
> > >
> > > http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssh/buffer.c.diff?r1=1
> > >.1.1.6&r2=1.1.1.7&f=h
> >
> > Yes, fortunately the patch is there.  I noticed however that in the version
> > committed to the RELENG_4_8 branch, RCSID wasn't changed, so it's not
> > possible to use ident to tell if your libssh needs to be patched or not (both
> > old and new say 1.16)...  Was that an oversight or should I be using some
> > other method to determine if I'm running a vulnerable version or not?
>
> Err, the RCS ID is updated automatically upon CVS checkin..is that
> really what you mean?

Yes, it is. The updated openssh/buffer.c has this near the top, still:

[[
RCSID("$OpenBSD: buffer.c,v 1.16 2002/06/26 08:54:18 markus Exp $");
]]

... the fix around line 100 has been merged; this change hasn't.

-- 
jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/
Tel +44(0)117 9287088 Fax +44 (0)117 9287112 http://ioctl.org/jan/
Boycott Arabic numerals! What have they ever done for us?