From owner-freebsd-security Tue Dec 14 20:52: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from quaggy.ursine.com (lambda.blueneptune.com [209.133.45.179]) by hub.freebsd.org (Postfix) with ESMTP id 60B82153DE for ; Tue, 14 Dec 1999 20:52:01 -0800 (PST) (envelope-from fbsd-security@ursine.com) Received: from michael (lambda.ursine.com [209.133.45.69]) by quaggy.ursine.com (8.9.3/8.9.3) with ESMTP id UAA50314 for ; Tue, 14 Dec 1999 20:52:01 -0800 (PST) Message-ID: <199912142052000380.09DCA719@quaggy.ursine.com> In-Reply-To: <199912150404.WAA28271@alecto.physics.uiuc.edu> References: <199912150404.WAA28271@alecto.physics.uiuc.edu> X-Mailer: Calypso Version 3.00.00.13 (2) Date: Tue, 14 Dec 1999 20:52:00 -0800 From: "Michael Bryan" To: freebsd-security@FreeBSD.ORG Subject: Re: CERT released RSAREF bulletin Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >I've noticed that the patch just changed from its Dec.2 version. >Does it mean that the rsaref2 (and therefore the software based on it) >as of Dec.2-Dec.13 is/was still vulnerable, >or this is more of a aesthetic change for the sake of the patch elegancy ? If I recall the BugTraq message on this correctly, the original RSAREF= patch was not enough to catch all cases, but did close things down substantially. There was also a patch made to the port of ssh in mid-November= (specifically rsaglue.c), and I think that fully closes the hole as well, but obviously only for ssh/sshd. Other users of RSAREF would still be vulnerable unless the RSAREF port is patched as well. As a final note, a BugTraq message said that somebody has coded an exploit for the bug as seen in sshd 1.2.27 and earlier, and they are about to= release it to the world. It works on Linux and OpenBSD, giving the attacker root= access. It will likely work against FreeBSD as well, possibly with minor= modifications. Anybody who uses ssh 1.2.27 or earlier in combination with RSAREF needs to= update things on their systems ASAP. (RSAREF is not the normal compilation of the= ssh port, though.) Supposedly there is a 1.2.28 version of ssh in the works, but there's no= sign of it just yet on their ftp server or web site. Michael Bryan fbsd-security@ursine.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message