From owner-freebsd-security@FreeBSD.ORG  Wed Jul  8 00:52:57 2009
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35])
	by hub.freebsd.org (Postfix) with ESMTP id 85D111065670
	for <freebsd-security@freebsd.org>;
	Wed,  8 Jul 2009 00:52:57 +0000 (UTC)
	(envelope-from cperciva@freebsd.org)
Received: from xps.daemonology.net (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx2.freebsd.org (Postfix) with SMTP id 6E57014DF52
	for <freebsd-security@freebsd.org>;
	Wed,  8 Jul 2009 00:52:18 +0000 (UTC)
	(envelope-from cperciva@freebsd.org)
Received: (qmail 8586 invoked from network); 8 Jul 2009 00:52:17 -0000
Received: from unknown (HELO xps.daemonology.net) (127.0.0.1)
	by localhost with SMTP; 8 Jul 2009 00:52:17 -0000
Message-ID: <4A53EDC1.4040506@freebsd.org>
Date: Tue, 07 Jul 2009 17:52:17 -0700
From: FreeBSD Security Officer <cperciva@freebsd.org>
Organization: FreeBSD Project
User-Agent: Thunderbird 2.0.0.21 (X11/20090405)
MIME-Version: 1.0
To: freebsd security <freebsd-security@freebsd.org>
X-Enigmail-Version: 0.95.6
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: rumours of openssh vulnerability
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: security-officer@freebsd.org
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2009 00:52:57 -0000

Hi all,

There are rumours flying around about a supposed vulnerability in OpenSSH.  Two
details which I've seen mentioned many times are
(a) that this exploit was used to break into a RedHat system running OpenSSH 4.3
plus backported security patches, and
(b) that "recent" versions of OpenSSH are not affected;
but it's not clear if there is any basis for these rumours.

Given the almost complete lack of information here, there obviously will not be
a FreeBSD security advisory forthcoming until we know more.  As such, I can only
recommend that the standard advice be followed: Use a firewall to limit who can
access OpenSSH; and make sure that you are running a supported FreeBSD release.

If anyone has any concrete information concerning this, please contact the
FreeBSD security team at <secteam@FreeBSD.org>.

-- 
Colin Percival
Security Officer, FreeBSD | freebsd.org | The power to serve
Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid