From nobody Wed Dec 20 03:11:51 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SvzBG2mRfz54cW9 for ; Wed, 20 Dec 2023 03:12:06 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mr85p00im-zteg06011501.me.com (mr85p00im-zteg06011501.me.com [17.58.23.182]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4SvzBF4Y68z4T7t for ; Wed, 20 Dec 2023 03:12:05 +0000 (UTC) (envelope-from gordon@tetlows.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tetlows.org header.s=sig1 header.b=SBoqr+YW; spf=pass (mx1.freebsd.org: domain of gordon@tetlows.org designates 17.58.23.182 as permitted sender) smtp.mailfrom=gordon@tetlows.org; dmarc=pass (policy=quarantine) header.from=tetlows.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=sig1; t=1703041923; bh=25uJUZiO4Rq2vtPUsuOggLTTWrzFqSVPgK+Ek+5CB9c=; h=Content-Type:From:Mime-Version:Subject:Message-Id:Date:To; b=SBoqr+YWyWCFKQrjeP7s5dxa7kTVi/4qUZz0rv9Bnxwtd4ij+OKMjREEA8/R8/xz5 7qdEPwD0l2G95WUytJ1Rk69sjW1R0E6e19N9khD99pd4UcoJLwxA9ZwO9pecwveGIs R5oYAEOFl9loOud4js4JeoNC2uLXG58Lk7WBH8sxaE0AADg2VpHWXKJU+NmlReA3Ni Fw+SBEdZrOd6fPApN/XdPh2CzieXxkiYGvsPXfFmQMaZCz9J5+rwMZLSar1FOGVaRi RpH8kvC4NpaYMb5pSFw9OSvCvh8ML9/zuPiROw1oykcopgplXB9b5wtvJJoUH3+16q NXy8iE0gXcZcw== Received: from smtpclient.apple (mr38p00im-dlb-asmtp-mailmevip.me.com [17.57.152.18]) by mr85p00im-zteg06011501.me.com (Postfix) with ESMTPSA id 1ABDA4800A8; Wed, 20 Dec 2023 03:12:03 +0000 (UTC) Content-Type: multipart/alternative; boundary=Apple-Mail-16364797-F70B-490B-8BD2-D1F1CF5ED527 Content-Transfer-Encoding: 7bit From: Gordon Tetlow List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 (1.0) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-23:19.openssh Message-Id: <75D32904-562B-473D-B6DF-AA7237276138@tetlows.org> Date: Tue, 19 Dec 2023 19:11:51 -0800 Cc: freebsd-security@freebsd.org To: mike tancsa X-Mailer: iPhone Mail (21B101) X-Proofpoint-GUID: W2iWU98t2jRI_msnLgX8jAWYQd89Bwds X-Proofpoint-ORIG-GUID: W2iWU98t2jRI_msnLgX8jAWYQd89Bwds X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-12-19_15,2023-12-14_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 clxscore=1030 malwarescore=0 phishscore=0 mlxlogscore=963 mlxscore=0 adultscore=0 spamscore=0 bulkscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2308100000 definitions=main-2312200019 X-Spamd-Result: default: False [-2.70 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; FAKE_REPLY(1.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; MV_CASE(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[tetlows.org,quarantine]; RWL_MAILSPIKE_VERYGOOD(-0.20)[17.58.23.182:from]; R_DKIM_ALLOW(-0.20)[tetlows.org:s=sig1]; R_SPF_ALLOW(-0.20)[+ip4:17.58.0.0/16]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[17.58.23.182:from]; ONCE_RECEIVED(0.10)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; FREEFALL_USER(0.00)[gordon]; FROM_HAS_DN(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; ASN(0.00)[asn:714, ipnet:17.58.16.0/20, country:US]; DKIM_TRACE(0.00)[tetlows.org:+]; TO_DN_SOME(0.00)[]; ARC_NA(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_ALL(0.00)[] X-Rspamd-Queue-Id: 4SvzBF4Y68z4T7t X-Spamd-Bar: -- --Apple-Mail-16364797-F70B-490B-8BD2-D1F1CF5ED527 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable =EF=BB=BF > On Dec 19, 2023, at 14:08, mike tancsa wrote: > =EF=BB=BFOn 12/19/2023 4:33 PM, FreeBSD Security Advisories wrote: >> with 12.4 are encouraged to either implement the documented workaround or= >> leverage an up to date version of OpenSSH from the ports/pkg collection. >=20 > Hi, >=20 > Is the version of security/openssh-portable not vulnerable to this issue t= oo ? I dont see any update since Oct I=E2=80=99ve posted a review for an update to 9.6p1: https://reviews.freebsd= .org/D43132 Gordon= --Apple-Mail-16364797-F70B-490B-8BD2-D1F1CF5ED527 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
=EF=BB=BF


O= n Dec 19, 2023, at 14:08, mike tancsa <mike@sentex.net> wrote:

=
=EF=BB=BFOn 12/19/2023 4:33 PM, FreeBSD Security Advisories wrote:
with 12.4 are encouraged to either implement the do= cumented workaround or
leverage an up to date version of OpenSSH from the ports/pkg collection.

Hi,

= Is the version of security/openssh-portable not vulnerable to this iss= ue too ? I dont see any update since Oct

I=E2=80=99ve posted a review for an update to 9.6p1: https://reviews.freebsd.org/D43132

Gordon=
= --Apple-Mail-16364797-F70B-490B-8BD2-D1F1CF5ED527--