From owner-freebsd-stable@FreeBSD.ORG Tue Sep 16 13:12:15 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 014C616A4B3 for ; Tue, 16 Sep 2003 13:12:15 -0700 (PDT) Received: from dire.bris.ac.uk (dire.bris.ac.uk [137.222.10.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9422D43F3F for ; Tue, 16 Sep 2003 13:12:13 -0700 (PDT) (envelope-from Jan.Grant@bristol.ac.uk) Received: from mail.ilrt.bris.ac.uk by dire.bris.ac.uk with SMTP-PRIV with ESMTP; Tue, 16 Sep 2003 21:12:07 +0100 Received: from cmjg (helo=localhost) by mail.ilrt.bris.ac.uk with local-esmtp (Exim 3.16 #1) id 19zM9X-0005zi-00; Tue, 16 Sep 2003 21:10:23 +0100 Date: Tue, 16 Sep 2003 21:10:23 +0100 (BST) From: Jan Grant X-X-Sender: cmjg@mail.ilrt.bris.ac.uk To: Kris Kennaway In-Reply-To: <20030916192659.GA11518@rot13.obsecurity.org> Message-ID: References: <20030916171436.GA12867@ei.bzerk.org> <200309161416.17241.craig@meoqu.gank.org> <20030916192659.GA11518@rot13.obsecurity.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Jan Grant cc: Ruben de Groot cc: stable@freebsd.org Subject: Re: Release Engineering Status Report X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 20:12:15 -0000 On Tue, 16 Sep 2003, Kris Kennaway wrote: > On Tue, Sep 16, 2003 at 02:16:17PM -0500, Craig Boston wrote: > > On Tuesday 16 September 2003 12:14 pm, Ruben de Groot wrote: > > > Fortunately, there's allready a patch in the source tree: > > > > > > http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssh/buffer.c.diff?r1=1 > > >.1.1.6&r2=1.1.1.7&f=h > > > > Yes, fortunately the patch is there. I noticed however that in the version > > committed to the RELENG_4_8 branch, RCSID wasn't changed, so it's not > > possible to use ident to tell if your libssh needs to be patched or not (both > > old and new say 1.16)... Was that an oversight or should I be using some > > other method to determine if I'm running a vulnerable version or not? > > Err, the RCS ID is updated automatically upon CVS checkin..is that > really what you mean? Yes, it is. The updated openssh/buffer.c has this near the top, still: [[ RCSID("$OpenBSD: buffer.c,v 1.16 2002/06/26 08:54:18 markus Exp $"); ]] ... the fix around line 100 has been merged; this change hasn't. -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44(0)117 9287088 Fax +44 (0)117 9287112 http://ioctl.org/jan/ Boycott Arabic numerals! What have they ever done for us?