From owner-freebsd-security@freebsd.org  Thu Nov  3 09:41:04 2016
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2CF2EC2BAED
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Thu,  3 Nov 2016 09:41:04 +0000 (UTC)
 (envelope-from kpaasial@gmail.com)
Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com
 [IPv6:2a00:1450:400c:c09::230])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id A0F791395
 for <freebsd-security@freebsd.org>; Thu,  3 Nov 2016 09:41:03 +0000 (UTC)
 (envelope-from kpaasial@gmail.com)
Received: by mail-wm0-x230.google.com with SMTP id n67so88413439wme.1
 for <freebsd-security@freebsd.org>; Thu, 03 Nov 2016 02:41:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=+7DmhqWf3Bt3B/gc0S1rR4fNCoTZ0BrIU7wwZuwxEHk=;
 b=KLTtt0ic4Ra236VN4ggPS7E4dTaCnN37YjKCB+Qmjx1ji6gl3JkVvs+h/LtZF7m9xN
 9jKtZcCZgUR2blsc9qasW3RDDjlA5c5FHQa7LfuPVCeTMXvLitGikLT748LTaXFHnLOh
 wXY5O1iMF/1S/tZE4jVKZ/wKga9gtCie+xNuLYxR7eGVJQFEecOI91n/CKC+fvqShkoB
 3QsLh+PbDXBlPXXW+fOwobBf2oLSHl4LpRqr9W37daEyZe9HGMk+wtpXNTjTm6mZcjbY
 y0gGRtutB0y+6TUZl7gFOvA2nTde7+/U9JKeDJSMhNiy6BUWdd4MRyys5e+UiPlPGjiX
 GedA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=+7DmhqWf3Bt3B/gc0S1rR4fNCoTZ0BrIU7wwZuwxEHk=;
 b=aai2Y0JE3Vz/MeL4ee9+6zvLyVP/USORLN2mKhu5jDSt0+MUeXGU0fnITbATVSI0mF
 3tb59frYE2gYxa99MsiyQly+K3IzwGZC1gU5FpYsu3BEhhAuyTn02Vn+ChOQa/PqkYJ/
 Z2CkNfgS0heg5Tgfg0fcOyJIMCCTBsq4iF6KkUb7q4xCDP3fSL8IhHexjuA6V9pZq6wM
 jPKZXmkAmstkla2TsPIZKCqCAonk9OatZQoTQ8cYCcFpJDi37YzODmdGpZIuD1qNTsUq
 fTYNJly4jDwXBg9+lhBmUEXFZCcWGxMpbjjHQ/QXKZ34qBQo9UKwwb+hJAw5tn13gth1
 xK3Q==
X-Gm-Message-State: ABUngvdgIv4ES6nbyJ3aT0hNwRROEe1NN62QqcmDoVGtS9KZMW2ilgNqa7JjVQjwImseoaR5LOia8RYuXVduTQ==
X-Received: by 10.28.216.17 with SMTP id p17mr7889782wmg.11.1478166062143;
 Thu, 03 Nov 2016 02:41:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.80.173.195 with HTTP; Thu, 3 Nov 2016 02:41:01 -0700 (PDT)
In-Reply-To: <201611021357.uA2DvHMW003088@higson.cam.lispworks.com>
References: <20161102075533.8BBA114B5@freefall.freebsd.org>
 <201611021357.uA2DvHMW003088@higson.cam.lispworks.com>
From: Kimmo Paasiala <kpaasial@gmail.com>
Date: Thu, 3 Nov 2016 11:41:01 +0200
Message-ID: <CA+7WWSc+_Jjf+StVb2n367+7YSCw-RnGMTbT4nbaE88d_n57+g@mail.gmail.com>
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:33.openssh
To: Martin Simmons <martin@lispworks.com>
Cc: freebsd-security <freebsd-security@freebsd.org>
Content-Type: text/plain; charset=UTF-8
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Nov 2016 09:41:04 -0000

Both 10.1 and 10.2 are going to be unsupported by the end of this
year, that's probably the reason the fix was not included in them.

https://www.freebsd.org/security/#sup

-Kimmo

On Wed, Nov 2, 2016 at 3:57 PM, Martin Simmons <martin@lispworks.com> wrote:
>>>>>> On Wed,  2 Nov 2016 07:55:33 +0000 (UTC), FreeBSD Security Advisories said:
>>
>> =============================================================================
>> FreeBSD-SA-16:33.openssh                                    Security Advisory
>>                                                           The FreeBSD Project
>>
>> Topic:          OpenSSH Remote Denial of Service vulnerability
>>
>> Category:       contrib
>> Module:         OpenSSH
>> Announced:      2016-11-02
>> Affects:        All supported versions of FreeBSD.
>> Corrected:      2016-11-02 06:56:35 UTC (stable/11, 11.0-STABLE)
>>                 2016-11-02 07:23:19 UTC (releng/11.0, 11.0-RELEASE-p3)
>>                 2016-11-02 06:58:47 UTC (stable/10, 10.3-STABLE)
>>                 2016-11-02 07:23:36 UTC (releng/10.3, 10.3-RELEASE-p12)
>> CVE Name:       CVE-2016-8858
>
> Should this be corrected in 10.1-RELEASE as well?
>
> I ask because Debian
> (https://security-tracker.debian.org/tracker/CVE-2016-8858) has marked it as
> vulnerable in OpenSSH 6.0 and OpenSSH 6.7 and it looks like 10.1-RELEASE
> contains OpenSSH 6.6, which I assume is also vulnerable.
>
> __Martin
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"