This is the mail archive of the cygwin-announce@cygwin.com mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Updated: OpenSSH-3.0.2p1-2

From: Corinna Vinschen <vinschen at redhat dot com>
To: cygann <cygwin-announce at cygwin dot com>
Date: Sun, 16 Dec 2001 13:26:37 +0100
Subject: Updated: OpenSSH-3.0.2p1-2
Reply-to: cygwin <cygwin at cygwin dot com>

I've updated the version of OpenSSH in cygwin/latest to 3.0.2p1-2.

=========================================================================
This is a security update.  Only the Cygwin OpenSSH is concerned.

Problem description:
--------------------
If you're logging in to a Cygwin sshd with version 2 protocol using an
arbitrary user name which is not in /etc/passwd, the forked sshd which
is handling this connection crashes with a segmentation violation.  The
client side encounters an immediate disconnect ("Connection reset by
peer").  This could be used by a malicious remote client to enumerate
the user names on the Cygwin server machine.

Cause:
------
The Cygwin specific code implicitly dereferences a pointer to a struct
passwd.  This pointer can be NULL if the user isn't found in /etc/passwd.


Solution:
---------
Update to version 3.0.2p1-2.
=========================================================================

To update your installation, click on the "Install Cygwin now" link on
the http://sources.redhat.com/cygwin web page.  This downloads setup.exe
to your system.  The, run setup and answer all of the questions.

Note that we do not allow downloads from sources.redhat.com (aka
cygwin.com) due to bandwidth limitations.  This means that you will need
to find a mirror which has this update.

In the US, ftp://mirrors.rcn.net/mirrors/sources.redhat.com/cygwin/ is a
reliable high bandwidth connection.

In Germany,
ftp://ftp.uni-erlangen.de/pub/pc/gnuwin32/cygwin/mirrors/cygnus/ is
usually pretty good.

In the UK,
http://programming.ccp14.ac.uk/ftp-mirror/programming/cygwin/pub/cygwin/
is usually up-to-date within 48 hours.

If one of the above doesn't have the latest version of this package then
you can either wait for the site to be updated or find another mirror.

If you have questions or comments, please send them to the Cygwin
mailing list at:  cygwin@sources.redhat.com .  I would appreciate
if you would use this mailing list rather than emailing me directly.
This includes ideas and comments about the setup utility or Cygwin
in general.

If you want to make a point or ask a question the Cygwin mailing list is
the appropriate place.

              *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***

If you want to unsubscribe to the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there.  It will be in the format:

cygwin-announce-unsubscribe-you=yourdomain.com@cygwin.com

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]