[TriLUG] Two More Vulnerabilities (OpenSSH & Sendmail)

[Jason Purdy]

Looks like OpenSSH had a busy day yesterday - there's another release - 
3.7.1 (& 3.7.1p1 for us portable folks) - here's a good recap plus a 
patch if you don't want to re-download the whole tarball:

http://marc.theaimsgroup.com/?l=secure-shell&m=106375496724179&w=2

I just copy/pasted the patch at the bottom (Appendix B), starting at 
Index: buffer.c and ending at the last line of ===='s into a file called 
patch-3.7.1 in the openssh-3.7p1 directory and ran:

patch -b < patch-3.7.1

Then I did a make and make install and /etc/rc.d/init.d/sshd restart.

------------------------------
Sendmail also has a vulnerability, though I'm betting the bunch of you 
guys are lucky enough to take advantage of Jason Tower's great 
presentation on Postfix and have since left sendmail in the dust. 
However, if you are like me and have to support an antiquated machine, 
you may want to check it out.  There's an article on /.:

http://slashdot.org/article.pl?sid=03/09/17/1720253&mode=nested&tid=126&tid=128

However, I'm trying to figure it out and it looks like you only have to 
worry about it if you're using some complex/non-standard rulesets (?):

http://www.sendmail.org/8.12.10.html

Cheers,

Jason