From owner-freebsd-stable@FreeBSD.ORG  Thu Jan 22 12:11:11 2004
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1A40916A4CE
	for <freebsd-stable@freebsd.org>;
	Thu, 22 Jan 2004 12:11:11 -0800 (PST)
Received: from smtp.des.no (flood.des.no [217.116.83.31])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CE0B343D1F
	for <freebsd-stable@freebsd.org>;
	Thu, 22 Jan 2004 12:11:09 -0800 (PST)	(envelope-from des@des.no)
Received: by smtp.des.no (Pony Express, from userid 666)
	id D25C3530C; Thu, 22 Jan 2004 21:11:08 +0100 (CET)
Received: from dwp.des.no (des.no [80.203.228.37])
	by smtp.des.no (Pony Express) with ESMTP
	id 66D415308; Thu, 22 Jan 2004 21:10:52 +0100 (CET)
Received: by dwp.des.no (Postfix, from userid 2602)
	id E89BD33C6A; Thu, 22 Jan 2004 21:10:51 +0100 (CET)
To: David.E.Tweten@nasa.gov
References: <2721.1074800988@gilmore.nas.nasa.gov>
From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=)
Date: Thu, 22 Jan 2004 21:10:51 +0100
In-Reply-To: <2721.1074800988@gilmore.nas.nasa.gov> (Dave Tweten's message
 of "Thu, 22 Jan 2004 11:49:48 -0800")
Message-ID: <xzpektrwxpw.fsf@dwp.des.no>
User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.3 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on 
	flood.des.no
X-Spam-Level: ss
X-Spam-Status: No, hits=2.6 required=5.0 tests=RCVD_IN_DYNABLOCK,
	RCVD_IN_SORBS autolearn=no version=2.61
cc: freebsd-stable@freebsd.org
Subject: Re: OpenSSH Vulnerable Prior to 3.7.1
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Production branch of FreeBSD source code
	<freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jan 2004 20:11:11 -0000

Dave Tweten <tweten@nas.nasa.gov> writes:
> I understand that FreeBSD patches old versions of OpenSSH instead of
> substituting new ones,

That depends, but upgrading is generally a lot more work (and
introduces other risks).

It is however highly unlikely that we will ever upgrade OpenSSH in 4.x
to 3.7.1, as it does not support Kerberos IV, which we still want to
support in 4.x.

>                        but my question is whether sshd version
> "OpenSSH_3.5p1 FreeBSD-20030924" has these vulnerabilities fixed.

We do not know of any vulnerabilities in FreeBSD-STABLE's OpenSSH.  If
you have any information we don't, we'd be very much obliged if you
could forward it to <secteam@freebsd.org>.

>                                                                    Is it
> as secure as OpenSSH 3.7.1?

As far as we know, yes.

DES
--=20
Dag-Erling Sm=F8rgrav - des@des.no