Date: Thu, 18 Sep 2003 13:17:01 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: McClain Looney <m@loonsoft.com> Cc: freebsd-questions@freebsd.org Subject: Re: sshd patch Message-ID: <20030918121701.GD59821@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <200309172042.39766.m@loonsoft.com> References: <200309172042.39766.m@loonsoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--bajzpZikUji1w+G9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 17, 2003 at 08:42:39PM -0500, McClain Looney wrote: > Hello, >=20 > I followed the instructions to patch my sshd for SA03:12, only to find my= =20 > version string still doesn't match the one in the advisory. >=20 > Am I correct in assuming it should read OpenSSH_3.5p1 FreeBSD-20030917 ? >=20 > It currently reads SSH-1.99-OpenSSH_3.5p1 FreeBSD-20030201. What could b= e=20 > causing this? Is a make clean required before the depend? The patches (eg. ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch) as described in the advisory are intended to be the minimum required in order to fix the vulnerability. That's done so that the same patches can be applied to as many different versions of FreeBSD as possible. Consequently, they don't modify the version numbers either in the $FreeBSD$ CVS tags or of OpenSSH it self (in src/crypto/openssh/version.h). You can tell that just be a simple eyeball inspection of the patch. This is generally the case with security advisories, as a) it's part of the modu operandi of the x.y-RELEASE branches and b) time being of the essence, the smaller the number of patches that have to be developed and tested, the better. However, it's not an absolute rule: some security advisories have resulted in version number bumps on some of the branches. If you want to pull down sources with all of the latest version numbers, use cvsup(1), ie. Option 1) in the Solution section of the advisory. However, you probably have succeeded in patching your system and are now not vulnerable, although there's no way to tell that remotely other than by trying to exploit the bug. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --bajzpZikUji1w+G9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/aaI9dtESqEQa7a0RApLMAJ9lwk2nQ68oJe4si7FdBWo8u7tzUQCcDaH1 4D4604Jhsg/rN74tDCxmID0= =tp4Q -----END PGP SIGNATURE----- --bajzpZikUji1w+G9--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030918121701.GD59821>