Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 31 Oct 2003 01:47:30 -0800
From:      Kris Kennaway <kris@obsecurity.org>
To:        Wayne Pascoe <freebsd-questions@penguinpowered.org>
Cc:        Kris Kennaway <kris@obsecurity.org>
Subject:   Re: openssh in 4.9
Message-ID:  <20031031094729.GA36048@rot13.obsecurity.org>
In-Reply-To: <20031031085515.GA75391@marvin.penguinpowered.org>
References:  <20031030141926.GB71952@marvin.penguinpowered.org> <20031030182206.GC29685@rot13.obsecurity.org> <20031031085515.GA75391@marvin.penguinpowered.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

--fdj2RfSjLxBAspz7
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Oct 31, 2003 at 08:55:15AM +0000, Wayne Pascoe wrote:
> On Thu, Oct 30, 2003 at 10:22:06AM -0800, Kris Kennaway wrote:
> > Please read the security advisory.
>=20
> I've read the advisory. It states a couple of workarounds (which I
> enabled at the time anyway) and also states that the problem is
> rectified in -STABLE beyond a certain date.
>=20
> However, looking at the openssh advisory's, the only fix is to be
> running a version 3.7.1p1 or later. So I'm confused. Have the FreeBSD
> team backported these fixes into 3.5.1 ?=20

Yes, that's why the FreeBSD advisory says the problem was rectified in
-STABLE beyond a certain date ;-)

> One of my problems is that some of my clients occasionally have 3rd
> parties perform penetration testing on our servers. I need an
> explanation for when the 3rd party comes back and says that I am running
> a vulnerable ssh.

Compare the version string to an unpatched openssh version...they are
not the same.

Kris

--fdj2RfSjLxBAspz7
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQE/oi+xWry0BWjoQKURAr6dAKDnssvJETZOgoa2md15a9aAVU6BDQCfRmsP
H9E6rhA/+P+ZEFjSYORrpVc=
=Tp+q
-----END PGP SIGNATURE-----

--fdj2RfSjLxBAspz7--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031031094729.GA36048>