From owner-freebsd-security@freebsd.org Mon May 13 15:48:42 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DFDB21592DB4 for ; Mon, 13 May 2019 15:48:42 +0000 (UTC) (envelope-from brett@lariat.net) Received: from mail.lariat.net (mail.lariat.net [66.62.230.51]) by mx1.freebsd.org (Postfix) with ESMTP id 6F07786D57; Mon, 13 May 2019 15:48:41 +0000 (UTC) (envelope-from brett@lariat.net) Received: from Toshi.lariat.net (IDENT:ppp1000.lariat.net@localhost [127.0.0.1]) by mail.lariat.net (8.9.3/8.9.3) with ESMTP id JAA27049; Mon, 13 May 2019 09:40:12 -0600 (MDT) Message-Id: <201905131540.JAA27049@mail.lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Mon, 13 May 2019 09:37:49 -0600 To: Dag-Erling Smørgrav , Brahmanand Reddy From: Brett Glass Subject: Re: POC and patch for the CVE-2018-15473 Cc: FreeBSD-security@freebsd.org, openssh@openssh.com In-Reply-To: <86mukfhfb3.fsf@next.des.no> References: <86mukfhfb3.fsf@next.des.no> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 6F07786D57 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of brett@lariat.net designates 66.62.230.51 as permitted sender) smtp.mailfrom=brett@lariat.net X-Spamd-Result: default: False [0.08 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.91)[-0.909,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; R_SPF_ALLOW(-0.20)[+a]; MV_CASE(0.50)[]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[lariat.net]; TO_DN_SOME(0.00)[]; NEURAL_SPAM_SHORT(0.65)[0.648,0]; NEURAL_HAM_LONG(-0.94)[-0.936,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[mail.lariat.net,secondarymx.lariat.net]; IP_SCORE(-0.01)[country: US(-0.06)]; RCVD_NO_TLS_LAST(0.10)[]; TO_NEEDS_ENCODING(1.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:19092, ipnet:66.62.228.0/22, country:US]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[] X-Mailman-Approved-At: Mon, 13 May 2019 17:08:45 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 May 2019 15:48:43 -0000 My company has remained with FreeBSD 11 for now because we have encountered NIC driver stability problems under heavy loads with FreeBSD 12.0. As an ISP, we also endure constant brute force username and password guessing attacks, so a fix for this problem is of interest to us. Is the FreeBSD port of OpenSSH 7.8 available for FreeBSD 11-STABLE from the ports collection? If not, shouldn't it be? --Brett Glass >Brahmanand Reddy writes: > > regarding the CVE-2018-15473 dint find find official patch from the openssh > > on freebsd OS base. > >CVE-2018-15473 is a user existence oracle bug which does not meet our >criteria for security advisories. > >FreeBSD 12 has OpenSSH 7.8, which is patched. FreeBSD 11 has OpenSSH >7.5, which is not. > >DES >-- >Dag-Erling Smørgrav - des@FreeBSD.org >_______________________________________________ >freebsd-security@freebsd.org mailing list >https://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"