From owner-freebsd-questions@FreeBSD.ORG Fri Oct 31 01:47:33 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D97D16A4CF for ; Fri, 31 Oct 2003 01:47:33 -0800 (PST) Received: from obsecurity.dyndns.org (adsl-63-207-60-234.dsl.lsan03.pacbell.net [63.207.60.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id 940E243F85 for ; Fri, 31 Oct 2003 01:47:31 -0800 (PST) (envelope-from kris@obsecurity.org) Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5]) by obsecurity.dyndns.org (Postfix) with ESMTP id 6EE8C66B60; Fri, 31 Oct 2003 01:47:30 -0800 (PST) Received: by rot13.obsecurity.org (Postfix, from userid 1000) id 40983885; Fri, 31 Oct 2003 01:47:30 -0800 (PST) Date: Fri, 31 Oct 2003 01:47:30 -0800 From: Kris Kennaway To: Wayne Pascoe Message-ID: <20031031094729.GA36048@rot13.obsecurity.org> References: <20031030141926.GB71952@marvin.penguinpowered.org> <20031030182206.GC29685@rot13.obsecurity.org> <20031031085515.GA75391@marvin.penguinpowered.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="fdj2RfSjLxBAspz7" Content-Disposition: inline In-Reply-To: <20031031085515.GA75391@marvin.penguinpowered.org> User-Agent: Mutt/1.4.1i cc: freebsd-questions@freebsd.org cc: Kris Kennaway Subject: Re: openssh in 4.9 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Oct 2003 09:47:33 -0000 --fdj2RfSjLxBAspz7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Oct 31, 2003 at 08:55:15AM +0000, Wayne Pascoe wrote: > On Thu, Oct 30, 2003 at 10:22:06AM -0800, Kris Kennaway wrote: > > Please read the security advisory. >=20 > I've read the advisory. It states a couple of workarounds (which I > enabled at the time anyway) and also states that the problem is > rectified in -STABLE beyond a certain date. >=20 > However, looking at the openssh advisory's, the only fix is to be > running a version 3.7.1p1 or later. So I'm confused. Have the FreeBSD > team backported these fixes into 3.5.1 ?=20 Yes, that's why the FreeBSD advisory says the problem was rectified in -STABLE beyond a certain date ;-) > One of my problems is that some of my clients occasionally have 3rd > parties perform penetration testing on our servers. I need an > explanation for when the 3rd party comes back and says that I am running > a vulnerable ssh. Compare the version string to an unpatched openssh version...they are not the same. Kris --fdj2RfSjLxBAspz7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/oi+xWry0BWjoQKURAr6dAKDnssvJETZOgoa2md15a9aAVU6BDQCfRmsP H9E6rhA/+P+ZEFjSYORrpVc= =Tp+q -----END PGP SIGNATURE----- --fdj2RfSjLxBAspz7--