From owner-freebsd-stable@FreeBSD.ORG Thu Jan 22 12:11:11 2004 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1A40916A4CE for ; Thu, 22 Jan 2004 12:11:11 -0800 (PST) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id CE0B343D1F for ; Thu, 22 Jan 2004 12:11:09 -0800 (PST) (envelope-from des@des.no) Received: by smtp.des.no (Pony Express, from userid 666) id D25C3530C; Thu, 22 Jan 2004 21:11:08 +0100 (CET) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id 66D415308; Thu, 22 Jan 2004 21:10:52 +0100 (CET) Received: by dwp.des.no (Postfix, from userid 2602) id E89BD33C6A; Thu, 22 Jan 2004 21:10:51 +0100 (CET) To: David.E.Tweten@nasa.gov References: <2721.1074800988@gilmore.nas.nasa.gov> From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Thu, 22 Jan 2004 21:10:51 +0100 In-Reply-To: <2721.1074800988@gilmore.nas.nasa.gov> (Dave Tweten's message of "Thu, 22 Jan 2004 11:49:48 -0800") Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on flood.des.no X-Spam-Level: ss X-Spam-Status: No, hits=2.6 required=5.0 tests=RCVD_IN_DYNABLOCK, RCVD_IN_SORBS autolearn=no version=2.61 cc: freebsd-stable@freebsd.org Subject: Re: OpenSSH Vulnerable Prior to 3.7.1 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jan 2004 20:11:11 -0000 Dave Tweten writes: > I understand that FreeBSD patches old versions of OpenSSH instead of > substituting new ones, That depends, but upgrading is generally a lot more work (and introduces other risks). It is however highly unlikely that we will ever upgrade OpenSSH in 4.x to 3.7.1, as it does not support Kerberos IV, which we still want to support in 4.x. > but my question is whether sshd version > "OpenSSH_3.5p1 FreeBSD-20030924" has these vulnerabilities fixed. We do not know of any vulnerabilities in FreeBSD-STABLE's OpenSSH. If you have any information we don't, we'd be very much obliged if you could forward it to . > Is it > as secure as OpenSSH 3.7.1? As far as we know, yes. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no