From owner-freebsd-security@FreeBSD.ORG  Tue Sep 16 11:50:13 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id B254E16A4B3; Tue, 16 Sep 2003 11:50:13 -0700 (PDT)
Received: from lariat.org (lariat.org [63.229.157.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 9F37A43F85; Tue, 16 Sep 2003 11:50:12 -0700 (PDT)
	(envelope-from brett@lariat.org)
Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org
	[63.229.157.2])	by lariat.org (8.9.3/8.9.3) with ESMTP id MAA08914;
	Tue, 16 Sep 2003 12:50:06 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook renders your system
	susceptible to Internet worms.
Message-Id: <4.3.2.7.2.20030916124550.02a55970@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Tue, 16 Sep 2003 12:49:23 -0600
To: "Jacques A. Vidrine" <nectar@FreeBSD.org>
From: Brett Glass <brett@lariat.org>
In-Reply-To: <20030916184500.GD6723@madman.celabo.org>
References: <4.3.2.7.2.20030916123558.02cfdef0@localhost>
 <20030916134347.GA30359@madman.celabo.org>
 <4.3.2.7.2.20030916123558.02cfdef0@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
cc: freebsd-security@FreeBSD.org
Subject: Re: OpenSSH heads-up
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Sep 2003 18:50:13 -0000

At 12:45 PM 9/16/2003, Jacques A. Vidrine wrote:
  
>There have been rumours of an ssh2 exploit for over a week.  The
>first concrete indication that I received that there was a bug was an
>OpenBSD commit message last night.

Interesting.

I could scan the source, but perhaps you already have and can answer
the following questions:

1. Could the bug be exploited by someone who had not authenticated
   with the server? 

2. Can it be worked around by changing the configuration until one
   has time to patch? (You mention that it's an SSH2 exploit; perhaps
   one can disable SSH2 and use SSH1 in the interim?)

--Brett Glass