Apple Computer, Inc. Information for VU#333628
OpenSSH contains buffer management errors
- Vendor Information Help Date Notified: 16 Sep 2003
- Statement Date:
- Date Updated: 01 Oct 2003
Apple: Mac OS X 10.2.8 contains the patches to address CVE CAN-2003-0693, CAN-2003-0695, and CAN-2003-0682. On Mac OS X versions prior to 10.2.8, the vulnerability is limited to a denial of service from the possibility of causing sshd to crash. Each login session has its own sshd, so established connections are preserved up to the point where system resources are exhausted by an attack.
To deliver the update in a rapid and reliable manner, only the patches for CVE IDs listed above were applied, and not the entire set of patches for OpenSSH 3.7.1. Thus, the OpenSSH version in Mac OS X 10.2.8, as obtained via the "ssh -V" command, is:
OpenSSH_3.4p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL 0x0090609f
- Mac OS X Client (updating from 10.2 - 10.2.5):
Mac OS X Client (updating from 10.2.6 - 10.2.7):
Mac OS X Server (updating from 10.2 - 10.2.5):
Mac OS X Server (updating from 10.2.6 - 10.2.7):
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.