similar to: zlib

SSH.COM says their SSH2 is not vulnerable to the ZLIB problem even though they use the library (details below). Can OpenSSH say the same thing? In either case, it seems like there ought to be an openssh-unix-announce message about what the situation is. I may have missed it, but I don't believe there was one. Yes, openssh doesn't have its own copy of zlib source but it would still be

Hello, One of my machines I got a report about 3 vulnerable packages (php4, ruby, openssl) in tomorrows security run output, but in today's security run output all of them disappeared, but nobody upgraded or removed the affected packages. I reinstalled portaudit, refreshd its database, but now it reports 0 affected pakages. The pkg_info command lists that three packages, so they are

There has been some talk about a zlib security problem that could let someone overflow the buffers in the zlib decompression code, potentially allowing someone to craft an exploit to execute arbitrary code. Since this is a decompression bug, this can only affect an rsync daemon if it allows uploads with the --compress option enabled. If you run a daemon that allows uploads, you may wish to add

There has been some talk about a zlib security problem that could let someone overflow the buffers in the zlib decompression code, potentially allowing someone to craft an exploit to execute arbitrary code. Since this is a decompression bug, this can only affect an rsync daemon if it allows uploads with the --compress option enabled. If you run a daemon that allows uploads, you may wish to add

http://bugzilla.mindrot.org/show_bug.cgi?id=1063 Summary: Checking for zlib version 1.2.3 Product: Portable OpenSSH Version: -current Platform: All URL: http://www.zlib.net/ OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: bitbucket at

Hello http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1536 "Integer underflow in the file_printf function in the "file" program before 4.20 allows user-assisted attackers to execute arbitrary code via a file that triggers a heap-based buffer overflow." Is FreeBSD 5.x/6.x affected too? It looks the System has file 4.12. The port has 4.20. Regards, Thomas -- Terry

Hi! Since linux-flashplugin7 r63 is vulnerable according to http://vuxml.FreeBSD.org/7c75d48c-429b-11db-afae-000c6ec775d9.html isn't www/linux-seamonkey vulerable, too (it seems to include 7 r25)? Bye Arne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:22.openssh Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in OpenSSH Category: contrib Module: openssh Announced:

Has Centos been tested for this yet? -------- Original Message -------- Subject: [Full-disclosure] [ GLSA 200507-05 ] zlib: Buffer overflow Date: Wed, 06 Jul 2005 16:23:20 +0200 From: Thierry Carrez <koon at gentoo.org> Organization: Gentoo Linux To: gentoo-announce at lists.gentoo.org CC: full-disclosure at lists.grok.org.uk, bugtraq at securityfocus.com, security-alerts at

Hi! cc'd to freebsd-security@ as somebody there may correct me, cc'd to secteam@ as maintaner of security/portaudit. On Sun, 28 Aug 2005 10:14:21 +0930 Ian Moore wrote: > I've just updated my acroread port to 7.0.1 & was surprised when portaudit > still listed it as a vulnerability. I think it is portaudit problem. > According to

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:22.openssh Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in OpenSSH Category: contrib Module: openssh Announced:

Hello! Yesterday portaudit notified me about squid's vulnerability, but today it didn't (despite I haven't upgraded squid). This has attracted my attention, so I've compared yesterday's and today's auditfile.tbz: -r--r--r-- 1 root wheel 29875 Sep 6 15:40 auditfile.tbz vs. -r--r--r-- 1 root wheel 5685 Sep 7 10:11 auditfile.tbz I don't see commits to

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:16.zlib Security Advisory The FreeBSD Project Topic: Buffer overflow in zlib Category: core Module: libz Announced: 2005-07-06 Credits:

Dear list, About a week ago, right after 5.4-RELEASE was released, I received a mail from Gentoo Linux's security announcement list about a flaw in tcpdump and gzip. Since none of them are operating system related, I assumed a -p1 and -p2 of the 5.4-RELEASE. Instead, we got a patch for the HTT security issue so I wonder, is the FreeBSD version of tcpdump and/or gzip are secured or simply

> John Freeman wrote: > >> Same problem on AMD64 build. I'm too lazy to attach full text, this >> system doesn't use bind and jail. > > What branch are you tracking? > > Doug > 6.2 STABLE (RELENG_6 latest cvs) amd64 -

Hi everybody, I've never posted here before but I seem to be having a similar problem to what Tim Rice had in July, namely when running the configure script I get the following: configure: error: *** zlib missing - please install first or check config.log *** However, I have definitely installed zlib (see below): dngwks1:/tmp/openssh-3.0p1 # swlist # Initializing... # Contacting target

Recently i have been using a dialup 56k account to access the net and have noticed that when my ssh session times out and I am editing a file in ` ee ' the system goes to 99% cpu usage and stays like this till the pid is killed. This is a standard user account (not root/su) Would a user be able to create a denial of service condition on the remote system using this bug? (sorry if this is

Hi, Im using OpenSSH 4.0 p1 linked with zlib version less then 1.2.2 in a number of systems. These are all production systems where I can't upgrade the service. I have a question that if I disable the compression by setting "compression no" in sshd_config, will I be able to overcome the Buffer overflow vulnerability in zlib. I just glanced through the code and it seems sshd is

Attached is a zlib advisory and a debug dump of ssh with compression enabled. Most of the debug is superflous, so I have underlined the two points to look at. When creating an ssh connection, compression on the line is done *before* authentication -- This means an unauthorized attacker could, conceivable, leverage root access by connecting with to the ssh server requesting zlib compression and

I'm forwarding this to security@, as I'm getting no replies on ipfw@. Hope it's relevant enough for you :( ---Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Erik Paulsen Skålerud Sent: Wednesday, May 28, 2003 1:02 AM To: ipfw@freebsd.org Subject: Question about logging. Sorry for asking this, It's probably been