From owner-freebsd-security  Wed Dec 15  2: 1:56 1999
Delivered-To: freebsd-security@freebsd.org
Received: from shemp.palomine.net (shemp.palomine.net [205.198.88.200])
	by hub.freebsd.org (Postfix) with SMTP id 5D36E15488
	for <freebsd-security@freebsd.org>; Wed, 15 Dec 1999 02:01:52 -0800 (PST)
	(envelope-from cjohnson@palomine.net)
Received: (qmail 3708 invoked by uid 1000); 15 Dec 1999 10:01:50 -0000
Date: Wed, 15 Dec 1999 05:01:49 -0500
From: Chris Johnson <cjohnson@palomine.net>
To: freebsd-security@freebsd.org
Subject: Re: CERT released RSAREF bulletin
Message-ID: <19991215050149.A3602@palomine.net>
References: <4.2.2.19991214112940.01c3d5b8@mail.myable.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.6i
In-Reply-To: <4.2.2.19991214112940.01c3d5b8@mail.myable.com>; from Marc Bejarano on Tue, Dec 14, 1999 at 11:39:23AM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

According to the CERT bulletin:

   FreeBSD 3.3R and prior releases contain packages with this problem.
   This problem was corrected December 2, 1999 in the ports tree.
   Packages built after this date with the rsaref updated should be
   unaffected by this vulnerabilities. Some or all of the following ports
   may be affected should be rebuilt:
   
   p5-Penguin, p5-Penguin-Easy, jp-pgp, ja-w3m-ssl, ko-pgp, pgpsendmail,
          pine4-ssl, premail, ParMetis, SSLtelnet, mpich, pipsecd, tund,
          nntpcache, p5-Gateway, p5-News-Article, ru-pgp, bjorb, keynote,
          OpenSSH, openssl, p5-PGP, p5-PGP-Sign, pgp, slush, ssh,
          sslproxy, stunnel, apache+mod_ssl, apache+ssl, lynx-ssl,
          w3m-ssl, zope

Of these, I'm using OpenSSH, openssl, and pipsecd. It seems to me that all of
these link rsaref dynamically, and that therefore I should need only to rebuild
rsaref to ensure my safety. Can someone say definitively whether this is the
case? And if so, why do I keep seeing these messages telling me I need to
rebuild anything that depends on the rsaref port? Also, was the fix that was
applied to the ssh port also applied to the OpenSSH port?

Chris


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message