From owner-freebsd-security Tue Jan 1 9:39:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 2A9EC37B41D for ; Tue, 1 Jan 2002 09:39:48 -0800 (PST) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.6/8.11.5) with SMTP id g01HawD14673; Tue, 1 Jan 2002 12:36:58 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Tue, 1 Jan 2002 12:36:58 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: John Hay Cc: cjclark@alum.mit.edu, Randy Bush , freebsd-security@FreeBSD.ORG Subject: Re: openssh version In-Reply-To: <200201010631.g016Va856231@zibbi.icomtek.csir.co.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 1 Jan 2002, John Hay wrote: > > On Mon, Dec 31, 2001 at 01:12:50PM -0800, Randy Bush wrote: > > > i did a cvsup of -stable (4.5-prerelease) yesterday. it seems to have > > > OpenSSH_2.9 as opposed to 3.0.x. for a number of reasons, this is a bit > > > unsettling. > > > > What would those reasons be? > > I can think of two: > > If you check the version number that ours report and then go to the > OpenSSH security page, http://www.openssh.org/security.html, it makes > you wonder. I know at least some of those things were fixed in our tree, > but it is confusing. My understanding is that we are not vulnerable to any of these problems; I've asked that we list the "localizations" somewhere obvious so it can be clear that is the case, but I'm not sure that has happened. The confusion concern is an important one. > ============================================================================== > OpenSSH version 2.9 has a bug which can cause lost EOF errors when used as > a BitKeeper transport, especially over slow links. We've confirmed that > the problem has been fixed as of version 2.9.9; get an update at > http://www.openssh.com/portable.html > ============================================================================== > > My solution is to use the ports version. Maybe we should remove the > in-tree version and just get sysinstall to install the ports version by > default? Or otherwise maybe get the guy that maintain the ports version > to also do the in-tree version? He seems quite quick in updating the > ports version. I've run into a related problem with SSH forwarding that occurs when a forwarded TCP connection takes a while to connect. The problem is that apparently the OpenSSH sshd we ship discards data sent over a forwarded connection before all parts are completed. If you're using forwarding connecting to a server with high latency, and on a client-driven protocol, you may lose some content on the connection. Many relevant protocols are server-driven (i.e., server banner before client data transmission) and therefore work fine, and most connections are sufficiently timely from the remote host that it is not a problem, but it can be a very irritating bug. It is apparently fixed in more recent versions. Eivind Eklund was looking at merging our various localizations forward (including PAM), and I'd really like to look at an upgrade in the post-4.5 scenario. Getting it in before the release is (at this point) out of the question, however. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message