Hi,

Vulnerability described in CVE-2009-2904
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2904 was
addressed in https://rhn.redhat.com/errata/RHSA-2009-1470.html for
RHEL. Isn't F11 openssh version also vulnerable?

Regards,
Michal
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

On Friday 26 March 2010 07:25:53 pm Michał Piotrowski wrote:
> Vulnerability described in CVE-2009-2904
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2904 was
> addressed in https://rhn.redhat.com/errata/RHSA-2009-1470.html for
> RHEL. Isn't F11 openssh version also vulnerable?

RHEL5 uses version 4.3. The CVE was caused by a flaw in a patch that backported
a feature from 4.8 to 4.3. Fedora 11 is on 5.2, so it should not be
vulnerable.

-Steve
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

On Saturday 27 March 2010 09:17:55 am Steve Grubb wrote:
> On Friday 26 March 2010 07:25:53 pm Michał Piotrowski wrote:
> > Vulnerability described in CVE-2009-2904
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2904 was
> > addressed in https://rhn.redhat.com/errata/RHSA-2009-1470.html for
> > RHEL. Isn't F11 openssh version also vulnerable?
>
> RHEL5 uses version 4.3. The CVE was caused by a flaw in a patch that
> backported a feature from 4.8 to 4.3. Fedora 11 is on 5.2, so it should
> not be vulnerable.

More research...looks like this took care of it:

* Mon Sep 21 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-6
- remove homechroot patch

So if you are on 5.2p1-6, you should be OK.

-Steve
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

2010/3/27 Steve Grubb <sgrubb@redhat.com>:
> On Saturday 27 March 2010 09:17:55 am Steve Grubb wrote:
>> On Friday 26 March 2010 07:25:53 pm Michał Piotrowski wrote:
>> > Vulnerability described in CVE-2009-2904
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2904 was
>> > addressed in https://rhn.redhat.com/errata/RHSA-2009-1470.html for
>> > RHEL. Isn't F11 openssh version also vulnerable?
>>
>> RHEL5 uses version 4.3. The CVE was caused by a flaw in a patch that
>> backported a feature from 4.8 to 4.3. Fedora 11 is on 5.2, so it should
>> not be vulnerable.
>
> More research...looks like this took care of it:
>
> * Mon Sep 21 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-6
> - remove homechroot patch
>
> So if you are on 5.2p1-6, you should be OK.
>

This upgrade should be pushed to updates-testing and updates

yum --enablerepo=updates-testing upgrade openssh
[..]
openssh x86_64 5.2p1-5.fc11 updates-testing 265 k

Regards,
Michal
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

On Saturday 27 March 2010 04:17:13 pm Michał Piotrowski wrote:
> > So if you are on 5.2p1-6, you should be OK.
>
> This upgrade should be pushed to updates-testing and updates
>
> yum --enablerepo=updates-testing upgrade openssh
> [..]
> openssh x86_64 5.2p1-5.fc11 updates-testing
> 265 k

I'll see that this is pushed out as soon as we can. In the meantime, you can
grab it here:

http://koji.fedoraproject.org/koji/buildinfo?buildID=132898

-Steve
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

W dniu 28 marca 2010 04:21 użytkownik Steve Grubb <sgrubb@redhat.com> napisał:
> On Saturday 27 March 2010 04:17:13 pm Michał Piotrowski wrote:
>> > So if you are on 5.2p1-6, you should be OK.
>>
>> This upgrade should be pushed to updates-testing and updates
>>
>> yum --enablerepo=updates-testing upgrade openssh
>> [..]
>> Â*openssh Â* Â* Â* Â* Â* Â* Â*x86_64 Â* Â* Â*5.2p1-5.fc11 Â* Â* Â* updates-testing
>> 265 k
>
> I'll see that this is pushed out as soon as we can.

Ok, thanks!

> In the meantime, you can
> grab it here:
>
> http://koji.fedoraproject.org/koji/buildinfo?buildID=132898
>
> -Steve
>
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel