Date: Fri, 31 Oct 2003 01:47:30 -0800 From: Kris Kennaway <kris@obsecurity.org> To: Wayne Pascoe <freebsd-questions@penguinpowered.org> Cc: Kris Kennaway <kris@obsecurity.org> Subject: Re: openssh in 4.9 Message-ID: <20031031094729.GA36048@rot13.obsecurity.org> In-Reply-To: <20031031085515.GA75391@marvin.penguinpowered.org> References: <20031030141926.GB71952@marvin.penguinpowered.org> <20031030182206.GC29685@rot13.obsecurity.org> <20031031085515.GA75391@marvin.penguinpowered.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Fri, Oct 31, 2003 at 08:55:15AM +0000, Wayne Pascoe wrote: > On Thu, Oct 30, 2003 at 10:22:06AM -0800, Kris Kennaway wrote: > > Please read the security advisory. > > I've read the advisory. It states a couple of workarounds (which I > enabled at the time anyway) and also states that the problem is > rectified in -STABLE beyond a certain date. > > However, looking at the openssh advisory's, the only fix is to be > running a version 3.7.1p1 or later. So I'm confused. Have the FreeBSD > team backported these fixes into 3.5.1 ? Yes, that's why the FreeBSD advisory says the problem was rectified in -STABLE beyond a certain date ;-) > One of my problems is that some of my clients occasionally have 3rd > parties perform penetration testing on our servers. I need an > explanation for when the 3rd party comes back and says that I am running > a vulnerable ssh. Compare the version string to an unpatched openssh version...they are not the same. Kris [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/oi+xWry0BWjoQKURAr6dAKDnssvJETZOgoa2md15a9aAVU6BDQCfRmsP H9E6rhA/+P+ZEFjSYORrpVc= =Tp+q -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031031094729.GA36048>