From owner-freebsd-security Mon Dec 3 19:57:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by hub.freebsd.org (Postfix) with ESMTP id 9A33D37B417 for ; Mon, 3 Dec 2001 19:57:12 -0800 (PST) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id fB43vCo96175; Mon, 3 Dec 2001 19:57:12 -0800 (PST) (envelope-from jan@caustic.org) Date: Mon, 3 Dec 2001 19:57:11 -0800 (PST) From: "f.johan.beisser" X-X-Sender: To: Holtor Cc: Subject: Re: OpenSSH Vulnerability In-Reply-To: <20011204022811.7604.qmail@web11603.mail.yahoo.com> Message-ID: <20011203195401.M16958-100000@localhost> X-Ignore: This statement isn't supposed to be read by you X-TO-THE-FBI-CIA-AND-NSA: HI! HOW YA DOIN? MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 3 Dec 2001, Holtor wrote: > The advisory says all versions prior to 2.9.9 are > vulnerable and I see sftp-server is on by default in > freebsd's sshd_config and freebsd has version 2.9 > > Ideas? no, it's not. OpenSSH was patched against this a while ago. my understanding is that FreeBSD's version was patched not all that long ago. the temporary fix was to close off sftp. with the upgrade, the "bad behaviour" was fixed. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message