From owner-freebsd-security Thu Jun 27 5: 9:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from norton.palomine.net (dsl254-102-179.nyc1.dsl.speakeasy.net [216.254.102.179]) by hub.freebsd.org (Postfix) with SMTP id F364F37B40A for ; Thu, 27 Jun 2002 05:09:30 -0700 (PDT) Received: (qmail 33568 invoked by uid 1000); 27 Jun 2002 12:09:29 -0000 Date: Thu, 27 Jun 2002 08:09:29 -0400 From: Chris Johnson To: D J Hawkey Jr Cc: freebsd-security@FreeBSD.ORG Subject: Re: CERT (Was: Re: NUTS! "Much ado about nothing" -- I need a clearer up or down) Message-ID: <20020627120929.GA33498@palomine.net> References: <200206261711.g5QHB9t00396@sheol.localdomain> <20020626210055.A2065@sheol.localdomain> <20020627022949.GA55324@energistic.com> <20020626214957.A2165@sheol.localdomain> <88624007.20020627130948@internethelp.ru> <20020627065435.A3772@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020627065435.A3772@sheol.localdomain> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 27, 2002 at 06:54:35AM -0500, D J Hawkey Jr wrote: > OpenSSH in RELENG_4_5 (FreeBSD 4.5-RELEASE[-pN]) is OpenSSH_2.9. > To reiterate, all that has to be done for this version is turn off > "ChallengeResponseAuthentication". The version in RELENG_4_5 does not have this bug, so you don't even have to turn off ChallengeResponseAuthentication to be safe from this particular vulnerability. You're safe either way. That's not to say that it might not be vulnerable in some other way. Chris Johnson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message