From owner-freebsd-questions@FreeBSD.ORG  Fri Oct 31 00:54:42 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4004416A4CE
	for <freebsd-questions@freebsd.org>;
	Fri, 31 Oct 2003 00:54:42 -0800 (PST)
Received: from smtp.mailbox.co.uk (smtp.mailbox.net.uk [195.82.125.32])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E033E43F85
	for <freebsd-questions@freebsd.org>;
	Fri, 31 Oct 2003 00:54:40 -0800 (PST)
	(envelope-from wayne@penguinpowered.org)
Received: from [212.18.250.170] (helo=marvin.penguinpowered.org)
	by smtp.mailbox.co.uk with esmtp (Exim 3.36 #1)
	id 1AFV3H-0002Uz-00; Fri, 31 Oct 2003 08:54:39 +0000
Received: by marvin.penguinpowered.org (Postfix, from userid 1001)
	id EC39815A14; Fri, 31 Oct 2003 08:55:15 +0000 (GMT)
Date: Fri, 31 Oct 2003 08:55:15 +0000
From: Wayne Pascoe <freebsd-questions@penguinpowered.org>
To: Kris Kennaway <kris@obsecurity.org>
Message-ID: <20031031085515.GA75391@marvin.penguinpowered.org>
References: <20031030141926.GB71952@marvin.penguinpowered.org>
	<20031030182206.GC29685@rot13.obsecurity.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20031030182206.GC29685@rot13.obsecurity.org>
User-Agent: Mutt/1.4.1i
Sender: wayne@penguinpowered.org
X-System: FreeBSD i386 with kernel 4.9-PRERELEASE
cc: freebsd-questions@freebsd.org
Subject: Re: openssh in 4.9
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Oct 2003 08:54:42 -0000

On Thu, Oct 30, 2003 at 10:22:06AM -0800, Kris Kennaway wrote:
> Please read the security advisory.

I've read the advisory. It states a couple of workarounds (which I
enabled at the time anyway) and also states that the problem is
rectified in -STABLE beyond a certain date.

However, looking at the openssh advisory's, the only fix is to be
running a version 3.7.1p1 or later. So I'm confused. Have the FreeBSD
team backported these fixes into 3.5.1 ? 

One of my problems is that some of my clients occasionally have 3rd
parties perform penetration testing on our servers. I need an
explanation for when the 3rd party comes back and says that I am running
a vulnerable ssh.

Regards,

-- 
Wayne Pascoe
Everything to excess. To enjoy the flavour of 
life, take big bites. Moderation is for 
monks. - Robert Heinlein