Subject: Re: RSAREF2 buffer overflow?
To: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
From: David Brownlee <abs@mono.org>
List: tech-crypto
Date: 12/14/1999 22:05:13
	Can we update the rsaref version to rsaref-2.0p3 - that way people
	can immediately determine if they are running the latest version
	by just running 'pkg_info rsaref'.

		David/absolute

On Tue, 14 Dec 1999, Bill Sommerfeld wrote:

> Ok, the fix from CERT CA-99-15 is now merged into the appropriate
> patch in pkgsrc..
> 
> David:
> 
> Text for the website:
> 
> RSAREF2 Library Buffer Overruns Fixed.
> 
> Recently, there have been several buffer overruns discovered in the
> RSAREF library.  Shortly after the bugtraq post reporting this problem
> was released, the fix supplied in that post was added to pkgsrc.
> 
> However, as the CERT advisory CA-99-15 states:
> 
>    We believe the patch originally provided by Core SDI in their
>    advisory may not be a complete fix to this particular problem.
> 
> Correspondingly, the revised fix referenced by the advisory has been
> applied to NetBSD's pkgsrc distribution and is present in
> pkgsrc/security/rsaref/patch-ah revision 1.3 and later.  NetBSD users
> who use packages depending on rsaref should fetch the most recent
> pkgsrc bits as soon as practical and rebuild packages, including ssh,
> which depend on rsaref.
> 
> --- [ end ] ---
> 
> Note that the fix won't be available for anonymous download until sup
> and anoncvs pull the fix (i'm not sure how frequently this is..)
> 
> 					- Bill
>