Description: | Description:
The remote host is missing updates announced in advisory CLA-2003:741.
OpenSSH[1] is a very popular and versatile tool that uses encrypted connections between hosts and is commonly used for remote administration.
This update fixes new vulnerabilities found in the code that handles buffers in OpenSSH. These vulnerabilities are similiar to the ones fixed in the CLSA-2003:739 announcement[2] (CVE-2003-0693) and can be exploited by a remote attacker to cause a denial of service condition and potentially execute arbitrary code (although there is still no concrete evidence of that).
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0695 to this additional issue[3].
The OpenSSH team released the version 3.7.1 which fixes this vulnerability[4]. This update contains the versions originally distributed with Conectiva Linux added of backported patches.
Additionally, patches made by Solar Designer to fix memory bugs in other parts of the code are being added. Althought it is unlikely that these bugs are exploitable, they are being treatead as security fixes by now and have the name CVE-2003-0682 assigned[5] by The Common Vulnerabilities and Exposures project (cve.mitre.org).
Solution: The apt tool can be used to perform RPM package upgrades by running 'apt-get update' followed by 'apt-get upgrade'
http://www.openssh.org http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000739&idioma=en http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0695 http://www.openssh.com/txt/buffer.adv http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0682 http://www.securityspace.com/smysecure/catid.html?in=CLA-2003:741 http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002003
Risk factor : Critical
CVSS Score: 10.0
|