From owner-freebsd-security  Thu Jun 27  5:19:11 2002
Delivered-To: freebsd-security@freebsd.org
Received: from sirius.pbegames.com (sirius.pbegames.com [64.124.9.107])
	by hub.freebsd.org (Postfix) with ESMTP id 5D7FF37B407
	for <freebsd-security@FreeBSD.ORG>; Thu, 27 Jun 2002 05:19:06 -0700 (PDT)
Received: from leviathan.pbegames.com (medusa.pbegames.com [141.156.220.22])
	by sirius.pbegames.com (8.11.5/8.11.5) with ESMTP id g5RCJ5R20113
	for <freebsd-security@FreeBSD.ORG>; Thu, 27 Jun 2002 08:19:05 -0400 (EDT)
	(envelope-from thomas@pbegames.com)
Message-Id: <5.1.0.14.2.20020627081749.01e19620@pbegames.com>
X-Sender: thomas@pbegames.com
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Thu, 27 Jun 2002 08:20:40 -0400
To: freebsd-security@FreeBSD.ORG
From: Mark Thomas <thomas@pbegames.com>
Subject: Re: CERT (Was: Re: NUTS! "Much ado about nothing" -- I need a
  clearer up or down)
In-Reply-To: <20020627120929.GA33498@palomine.net>
References: <20020627065435.A3772@sheol.localdomain>
 <UqmS8.2068$eH2.1608821@ruti.visi.com>
 <200206261711.g5QHB9t00396@sheol.localdomain>
 <xzpr8itxzgm.fsf@flood.ping.uio.no>
 <20020626210055.A2065@sheol.localdomain>
 <20020627022949.GA55324@energistic.com>
 <20020626214957.A2165@sheol.localdomain>
 <88624007.20020627130948@internethelp.ru>
 <20020627065435.A3772@sheol.localdomain>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

At 08:09 AM 6/27/02 -0400, Chris Johnson wrote:
>On Thu, Jun 27, 2002 at 06:54:35AM -0500, D J Hawkey Jr wrote:
> > OpenSSH in RELENG_4_5 (FreeBSD 4.5-RELEASE[-pN]) is OpenSSH_2.9.
> > To reiterate, all that has to be done for this version is turn off
> > "ChallengeResponseAuthentication".
>
>The version in RELENG_4_5 does not have this bug, so you don't even have to
>turn off ChallengeResponseAuthentication to be safe from this particular
>vulnerability. You're safe either way.

If you're running older versions be careful. This option may not exist, and 
hupping a server with this in place can cause it to shut itself down, 
leaving you with no daemon running.


Mark Thomas
---
thomas@pbegames.com ----> http://www.pbegames.com/~thomas
Play by Electron Games -> http://www.pbegames.com Free Trial Games


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message