From owner-freebsd-security  Mon Dec  3 18:37:21 2001
Delivered-To: freebsd-security@freebsd.org
Received: from shemp.palomine.net (shemp.palomine.net [216.135.64.135])
	by hub.freebsd.org (Postfix) with SMTP id 3D49637B416
	for <security@freebsd.org>; Mon,  3 Dec 2001 18:37:15 -0800 (PST)
Received: (qmail 88424 invoked by uid 1000); 4 Dec 2001 02:37:08 -0000
Date: Mon, 3 Dec 2001 21:37:08 -0500
From: Chris Johnson <cjohnson@palomine.net>
To: Holtor <holtor@yahoo.com>
Cc: security@freebsd.org
Subject: Re: OpenSSH Vulnerability
Message-ID: <20011203213708.A88390@palomine.net>
References: <20011204022811.7604.qmail@web11603.mail.yahoo.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="jI8keyz6grp/JLjh"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20011204022811.7604.qmail@web11603.mail.yahoo.com>; from holtor@yahoo.com on Mon, Dec 03, 2001 at 06:28:11PM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


--jI8keyz6grp/JLjh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Dec 03, 2001 at 06:28:11PM -0800, Holtor wrote:
> Is freebsd's SSH vulnerable to this?
>=20
> http://www.securityfocus.com/archive/1/243430
>=20
> The advisory says all versions prior to 2.9.9 are
> vulnerable and I see sftp-server is on by default in
> freebsd's sshd_config

How do you figure that? I see:

# Uncomment if you want to enable sftp
#Subsystem      sftp    /usr/libexec/sftp-server

in my /etc/ssh/sshd_config file, and the sshd man page says, "By default no
subsystems are defined."

Chris Johnson

--jI8keyz6grp/JLjh
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8DDbTyeUEMvtGLWERAkc2AJ9QupZJ7or36BNawhlaeOdNuAq6fgCdG4Qo
BjKTtrZIGxkdEew0Dx47vmU=
=24S1
-----END PGP SIGNATURE-----

--jI8keyz6grp/JLjh--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message