OpenSSH 3.7.1p2

Dagmar d'Surreal dagmar.wants at
Wed Sep 24 03:15:55 PDT 2003

On Tue, 2003-09-23 at 17:19, Archaic wrote:
> On Tue, Sep 23, 2003 at 04:36:18PM -0500, Dagmar d'Surreal wrote:
> <..>
> In less than a week they have released 3 times. 3.7p1, 3.7.1p1, and now
> 3.7.1p2. Dagmar, have you read the changelog, yet? 3.7p1 was supposed to
> be the one that fixed the situation and that's the one I d/l'd and
> installed as soon as it hit slashdot. Took bloody forever for the
> mirrors to get it and the main server was slammed. Don't know if I'm in
> too big of a hurry to do that again, unless the problem wasn't fixed
> right the first 2 times.

Actually, I think the delay this time was with trying to be sure it was
really fixed.  As I understand it Zalewski spotted four more possible
bugs in the code just hours after 3.7.1p1 came out.  I was frankly
expecting to see the fixes released as 3.7.2, but since it's only
non-BSD systems that would be vulnerable...  Anyway, considering that I
use the pro-police patch for gcc, openwall kernel patches, and tcp
wrappers as well as iptables firewalling to limit my exposure to
singular reasonably safe hosts, I wasn't going to lose much sleep over
it.  (The moral is, when you build a firewall, build a firewall and not
a router with filtering capabilities.)

The email address above is phony because the people making archives of list
traffic publicly available on the web aren't taking measures to protect the
email addresses from filthy spammers.  
              AIM: evilDagmar  Jabber: evilDagmar at

More information about the lfs-security mailing list