From owner-freebsd-security@FreeBSD.ORG Sat Oct 4 14:04:20 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 59A7616A4B3 for ; Sat, 4 Oct 2003 14:04:20 -0700 (PDT) Received: from tx3.oucs.ox.ac.uk (tx3.oucs.ox.ac.uk [163.1.2.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1732D4400D for ; Sat, 4 Oct 2003 14:04:19 -0700 (PDT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from scan3.oucs.ox.ac.uk ([163.1.2.166] helo=localhost) by tx3.oucs.ox.ac.uk with esmtp (Exim 4.20) id 1A5tZa-0008IT-Mv for freebsd-security@freebsd.org; Sat, 04 Oct 2003 22:04:18 +0100 Received: from rx3.oucs.ox.ac.uk ([163.1.2.165]) by localhost (scan3.oucs.ox.ac.uk [163.1.2.166]) (amavisd-new, port 25) with ESMTP id 31863-01 for ; Sat, 4 Oct 2003 22:04:17 +0100 (BST) Received: from gateway.wadham.ox.ac.uk ([163.1.161.253]) by rx3.oucs.ox.ac.uk with smtp (Exim 4.20) id 1A5tZX-0008IE-Bw for freebsd-security@freebsd.org; Sat, 04 Oct 2003 22:04:15 +0100 Received: (qmail 27098 invoked by uid 0); 4 Oct 2003 21:04:15 -0000 Received: from colin.percival@wadham.ox.ac.uk by gateway by uid 71 with qmail-scanner-1.16 (sweep: 2.14/3.71. spamassassin: 2.53. Clear:. Processed in 2.235774 secs); 04 Oct 2003 21:04:15 -0000 X-Qmail-Scanner-Mail-From: colin.percival@wadham.ox.ac.uk via gateway X-Qmail-Scanner: 1.16 (Clear:. Processed in 2.235774 secs) Received: from dhcp1131.wadham.ox.ac.uk (HELO piii600.wadham.ox.ac.uk) (163.1.161.131) by gateway.wadham.ox.ac.uk with SMTP; 4 Oct 2003 21:04:13 -0000 Message-Id: <5.0.2.1.1.20031004215727.0301e590@popserver.sfu.ca> X-Sender: cperciva@popserver.sfu.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Sat, 04 Oct 2003 22:04:11 +0100 To: "Greenshaw, Steve" From: Colin Percival In-Reply-To: <911E4B4A51A3D3119DD600508B44B4A40840C4@ammail.ucsm.ac.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: freebsd-security@freebsd.org Subject: Re: Security Fix Confusion X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Oct 2003 21:04:20 -0000 At 21:27 04/10/2003 +0100, you wrote: >I'm wondering if anybody could enlighten me about the effect of tracking >RELENG? Assuming you mean RELENG_x_y: You'll get critical security fixes for that release, for as long as that release is supported. >However, a '/usr/sbin/sshd -\?' shows the version of OpenSSH running as >being OpenSSH_3.4p1. If it reports "sshd version OpenSSH_3.4p1 FreeBSD-20030924", you're safe. The "FreeBSD-20030924" means that it includes the latest fixes (incorporated by des@ on September 24th, part of SA-03:15). > Scanning the box with Nessus warns of the security hole >associated with versions of OpenSSH prior to 3.7.1p2 and warned about in >SA-03:12 > >So, ms question is, am I actually covered by 4.7-RELEASE-p21 and Nessus is >giving a false positive, or am I still potentially vulnerable? Looks like a false positive to me. Colin Percival