Date: Wed, 13 Mar 2002 08:50:32 -0800 From: bmah@FreeBSD.org (Bruce A. Mah) To: Udo Erdelhoff <ue@nathan.ruhr.de> Cc: freebsd-doc@FreeBSD.org, "Bruce A. Mah" <bmah@FreeBSD.org>, security-officer@FreeBSD.org Subject: Re: cvs commit: src/release/doc/en_US.ISO8859-1/relnotes/common new.sgml Message-ID: <200203131650.g2DGoWr36860@bmah.dyndns.org> In-Reply-To: <20020310191230.E89278@nathan.ruhr.de> References: <200203090112.g291C4A36851@freefall.freebsd.org> <20020310191230.E89278@nathan.ruhr.de>
next in thread | previous in thread | raw e-mail | index | archive | help
If memory serves me right, Udo Erdelhoff wrote: > Hi, > On Fri, Mar 08, 2002 at 05:12:04PM -0800, Bruce A. Mah wrote: > > 1.297 +4 -2 src/release/doc/en_US.ISO8859-1/relnotes/common/new. > sgml > > I think there is a small typo/omission in the entry: > > ] This bug could have allowed an authenticated remote user to cause > ] &man.sshd.8; to execute arbitrary code with superuser privileges, > > This part is correct and clear: A 'bad' client can abuse the server > > ] or allowed a connecting SSH client to execute arbitrary > ] code with the privileges of the client user. > > but I think this part should be clearer. According to the advisories > I have read, a 'bad' server can abuse the client. My suggestion > is to replace this part with "or allowed a malicous SSH server to > execute arbitrary code on the client system with the privileges of > the client user". Sorry for the delay. You're probably right here...any comments from the security officer team? Having had to amend this release note once already, I want to finally-get-it-right-this-time-dammit. :-) Thanks! Bruce. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200203131650.g2DGoWr36860>