From owner-freebsd-security  Sat Nov 11 16:18:27 2000
Delivered-To: freebsd-security@freebsd.org
Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139])
	by hub.freebsd.org (Postfix) with ESMTP id A6DE537B479
	for <freebsd-security@FreeBSD.ORG>; Sat, 11 Nov 2000 16:18:24 -0800 (PST)
Received: (qmail 53945 invoked by uid 1000); 12 Nov 2000 00:18:23 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 12 Nov 2000 00:18:23 -0000
Date: Sat, 11 Nov 2000 18:18:23 -0600 (CST)
From: Mike Silbersack <silby@silby.com>
To: Kris Kennaway <kris@FreeBSD.ORG>
Cc: John F Cuzzola <vdrifter@ocis.ocis.net>,
	freebsd-security@FreeBSD.ORG
Subject: Re: SSH
In-Reply-To: <20001111160742.A52887@citusc17.usc.edu>
Message-ID: <Pine.BSF.4.21.0011111816520.53920-100000@achilles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


On Sat, 11 Nov 2000, Kris Kennaway wrote:

> On Sat, Nov 11, 2000 at 05:45:55PM -0600, Mike Silbersack wrote:
> > 
> > Er, old 1.2.27 with old rsaref is root-exploitable.
> 
> Wasn't that 1.2.26? Anyway, I meant the FreeBSD port, which is fixed.
> 
> Kris

1.2.27 and before was affected.  Both the ssh port and rsaref port were
patched in short order, I recall.  However, we have no clue what age the
1.2.27 binary in question is.  So, while new installs aren't vulnerable,
the original poster's system may be at risk.

Mike "Silby" Silbersack



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message