From owner-freebsd-security Wed Jun 26 17:27:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx01.nexgo.de (mx01.nexgo.de [151.189.8.96]) by hub.freebsd.org (Postfix) with ESMTP id 5C64937BF52 for ; Wed, 26 Jun 2002 16:25:51 -0700 (PDT) Received: from localhost (dsl-213-023-062-204.arcor-ip.net [213.23.62.204]) by mx01.nexgo.de (Postfix) with ESMTP id ECFDA3BD4E; Wed, 26 Jun 2002 23:15:35 +0200 (CEST) Received: by localhost (Postfix, from userid 31451) id 534C644B1; Wed, 26 Jun 2002 23:15:31 +0200 (CEST) Date: Wed, 26 Jun 2002 23:15:31 +0200 From: Markus Friedl To: Brett Glass Cc: Jan Lentfer , FreeBSD Security Mailling List Subject: Re: OpenSSH Security (just a question, please no f-war) Message-ID: <20020626211530.GB902@folly> References: <1025116241.2817.2.camel@jan-linux.lan> <4.3.2.7.2.20020626124251.02213460@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20020626124251.02213460@localhost> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org 3.3 has not fixed the bugs, but 3.4 fixes these bugs. see http://www.openssh.com/txt/preauth.adv (2nd rev) -m On Wed, Jun 26, 2002 at 12:51:15PM -0600, Brett Glass wrote: > At 12:30 PM 6/26/2002, Jan Lentfer wrote: > > >I am now running 3.3p1 on all my boxes (FreeBSD & Linux) with Privilige > >Separation enabled. Is this configuration secure for now or not? > > It's not clear. The OpenSSH team claims that when the fixed the bug > discovered by ISS they also fixed other vulnerabilities which ISS > did NOT discover. If any of these are in 3.3p1, we may be vulnerable. > Markus would, of course, be the authority on this issue; maybe he'd > care to comment? > > --Brett > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message