——开始PGP签名的消息散列:SHA1 - ------------------------------------------------------------------------ 阿鲁巴岛的无线网络安全咨询标题:SSH漏洞阿鲁巴咨询ID:援助- 11182003修订:1.0公开发布在11/18/2003 (GMT) 19:00,引用:CERT脆弱性注意VU # 333628 - ------------------------------------------------------------------------ 总结之前版本的OpenSSH服务器3.7.1包含缓冲区管理错误。尽管这些漏洞的实际影响尚不清楚，但它们可能导致内存损坏和拒绝服务的情况。产品和固件版本受影响硬件:所有Aruba无线网络交换平台(800和5000)受影响。软件:所有阿鲁巴AirOS版本都是脆弱的。详细信息SSH代码中包含缓冲区的一般处理错误。在这种情况下，它是由大量内存被清除引起的，这是在释放堆上适当的内存大小时产生的问题。内存损坏和可能的崩溃。解决方案仅允许使用访问控制列表的受信任设备访问。解决方案需要进行软件修复。 All previous and newer versions of released software have a patch available. Note that the patch does not update the OpenSSH version number itself, but all security patches have been applied. OBTAINING FIXED FIRMWARES The following AirOS versions contain fixes for this issue. 1.1_4312 and later (built 11/18/2003) 2.0_4310 and later (built 11/18/2003) All new code releases after 11/18/2003 Aruba Support contacts are as follows: 1-800-WiFiLAN (1-800-943-4526) (toll free from within North America) +1-408-754-1200 (toll call from anywhere in the world) e-mail: support(at)arubanetworks.com web: //www.nexbus-cng.com/support Please, do not contact either "wsirt(at)arubanetworks.com" or "security(at)arubanetworks.com" for software upgrades. EXPLOITATION AND PUBLIC ANNOUNCEMENTS This vulnerability will be announced at http://www.kb.cert.org/vuls STATUS OF THIS NOTICE: Final Although Aruba Wireless networks cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Aruba Wireless Networks does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aruba Wireless Networks may update this advisory. A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. DISTRIBUTION OF THIS ANNOUCEMENT This advisory will be posted on Aruba's website at //www.nexbus-cng.com/support/wsirt/alerts/AID-11182003.asc Future updates of this advisory, if any, will be placed on Aruba's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. REVISION HISTORY Revision 1.0 /11-18-2003 / Initial release ARUBA WSIRT SECURITY PROCEDURES Complete information on reporting security vulnerabilities in Aruba Wireless Networks products, obtaining assistance with security incidents is available at //www.nexbus-cng.com/support/wsirt.php For reporting *NEW* Aruba Wireless Networks security issues, email can be sent to wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at //www.nexbus-cng.com/support/wsirt.php (c) Copyright 2003 by Aruba Wireless Networks, Inc. This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGeFn+p6KijA4qefURAiBsAJ9MVv74TJfnLSg0VELTohEotRoPFgCgtRp2 3b9z691ZfRi8+hNZJrWaNVM= =0okD -----END PGP SIGNATURE-----