From owner-freebsd-security@FreeBSD.ORG Sat Oct 4 13:27:17 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8163716A4B3 for ; Sat, 4 Oct 2003 13:27:17 -0700 (PDT) Received: from lanmail.ucsm.ac.uk (lanmail.ucsm.ac.uk [194.81.188.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4AE3843FE9 for ; Sat, 4 Oct 2003 13:27:14 -0700 (PDT) (envelope-from s.greenshaw@ucsm.ac.uk) Received: by lanmail.ucsm.ac.uk with Internet Mail Service (5.5.2656.59) id <4H60DSMB>; Sat, 4 Oct 2003 21:27:30 +0100 Message-ID: <911E4B4A51A3D3119DD600508B44B4A40840C4@ammail.ucsm.ac.uk> From: "Greenshaw, Steve" To: "'freebsd-security@freebsd.org'" Date: Sat, 4 Oct 2003 21:27:59 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2656.59) Content-Type: text/plain Subject: Security Fix Confusion X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Oct 2003 20:27:17 -0000 Hi, I'm wondering if anybody could enlighten me about the effect of tracking RELENG? When the Openssh advisory came out (SA-03:12) I allowed a few days for all issues to get ironed out and then used CVSUP to rebuild my boxes with RELENG_4_7 or RELENG_4_8 (as appropriate). The advisory says that the problem with OpenSSH is fixed by 4.7-RELEASE-p16 and a 'uname -a' of one of my 4.7 boxes shows it as being 4.7-RELEASE-p21 However, a '/usr/sbin/sshd -\?' shows the version of OpenSSH running as being OpenSSH_3.4p1. Scanning the box with Nessus warns of the security hole associated with versions of OpenSSH prior to 3.7.1p2 and warned about in SA-03:12 So, ms question is, am I actually covered by 4.7-RELEASE-p21 and Nessus is giving a false positive, or am I still potentially vulnerable? Regards, Steve. ***** CONFIDENTIALITY & SECURITY DISCLAIMER ***** Please note the contents of this e-mail do not necessarily represent the policies or views of St Martins College. This e-mail message and any attachments may contain confidential information and should only be accessed by the intended recipient. If they have come to you in error please advise the sender by replying to this email and copy your reply to postmaster@ucsm.ac.uk. In this circumstance you must not disclose, copy, distribute, use or rely on this email and you should permanently delete it. Security Warning: Please note that this e-mail has been created in the knowledge that Internet e-mail is not a 100% secure communications medium. It is advised that you understand and observe this lack of security when emailing us. Viruses: Although we have taken steps to ensure that this email and attachments are free from any virus, we cannot accept responsibility for email once it has left us. You should ensure that you have a suitable anti virus system in place and check the email upon receipt.