From owner-freebsd-security Tue Dec 14 21:23:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from quaggy.ursine.com (lambda.blueneptune.com [209.133.45.179]) by hub.freebsd.org (Postfix) with ESMTP id 19B901521D for ; Tue, 14 Dec 1999 21:23:13 -0800 (PST) (envelope-from fbsd-security@ursine.com) Received: from michael (lambda.ursine.com [209.133.45.69]) by quaggy.ursine.com (8.9.3/8.9.3) with ESMTP id VAA50432 for ; Tue, 14 Dec 1999 21:23:10 -0800 (PST) Message-ID: <199912142123110810.09F93633@quaggy.ursine.com> In-Reply-To: <199912142052000380.09DCA719@quaggy.ursine.com> References: <199912150404.WAA28271@alecto.physics.uiuc.edu> <199912142052000380.09DCA719@quaggy.ursine.com> X-Mailer: Calypso Version 3.00.00.13 (2) Date: Tue, 14 Dec 1999 21:23:11 -0800 From: "Michael Bryan" To: freebsd-security@FreeBSD.ORG Subject: Re: CERT released RSAREF bulletin Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 12/14/99 at 8:52 PM Michael Bryan wrote: > >As a final note, a BugTraq message said that somebody has coded an exploit >for the bug as seen in sshd 1.2.27 and earlier, and they are about to= release >it to the world. Speak of the devil... the exploit was just published on BugTraq, and the author says it was tested against sshd running on Linux (RedHat 6.0) and OpenBSD 2.6. Reading through the description of the exploit, it appears that the mid-November patch to sshd is enough to stop this one cold, even if RSAREF2 remains unpatched. Michael Bryan fbsd-security@ursine.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message