From owner-freebsd-security  Fri Feb  9  6:29:50 2001
Delivered-To: freebsd-security@freebsd.org
Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66])
	by hub.freebsd.org (Postfix) with ESMTP id B1BFF37C21B
	for <security@FreeBSD.ORG>; Fri,  9 Feb 2001 06:29:28 -0800 (PST)
Received: (from str@localhost)
	by giganda.komkon.org (8.9.3/8.9.3) id JAA78992;
	Fri, 9 Feb 2001 09:29:27 -0500 (EST)
	(envelope-from str)
Date: Fri, 9 Feb 2001 09:29:27 -0500 (EST)
From: Igor Roshchin <str@giganda.komkon.org>
Message-Id: <200102091429.JAA78992@giganda.komkon.org>
To: security@FreeBSD.ORG, sziszi@petra.hos.u-szeged.hu
Subject: Re: Is this a problem for us too?
In-Reply-To: <20010209114758.C6167@petra.hos.u-szeged.hu>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org




> Date: Fri, 9 Feb 2001 11:47:58 +0100
> From: Szilveszter Adam <sziszi@petra.hos.u-szeged.hu>
>
> On Fri, Feb 09, 2001 at 09:54:29AM +0000, Rasputin wrote:
> > 
> > Just noticed a couple of openssh security advisories
> > on deadly.org:
> > 
> > http://razor.bindview.com/publish/advisories/adv_ssh1crc.html
> > 
> > Is this openbsd -specific, or related ot any openssh implementation?
>
> -CURRENT and -STABLE have 2.3.0 so they are not vulnerable. 3.x stil
> doesn't have OpenSSH at all AFAIK. The ports have just been marked
> FORBIDDEN for both ssh and openssh. Something else? No, I think we have
> covered all bases:-)
>  

Well, I believe such a message, based on some type of "hometown pride", 
could be confusing to some people.

Many people are running earlier releases of 4.x, and they do not have
2.3.0   (e.g. 4.0-release has Open-SSH-1.2.2), and therefore are
probably vulnerable (1) .
Those who are running 3.5-STABLE and have ssh from the ports collection,
                          ^^^^^^
(many people do use ssh) are probably (1) vulnerable as well.

I believe (and hope), security-officer's team is already working on the 
fix and the advisory.

(1) Note: Unless it is not vulnerable due to some specifics of FreeBSD
implementation, but that doesn't seem to be the case.


Igor

PS.
I'd say you response does not "cover all bases", 
but rather is an ostrich-like behavior:
"My head is hidden, something else ?" :)))
Nothing personal, just let's not to confuse people with a false sense
of that everything is fine.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message