From owner-freebsd-security Tue Feb 13 19:33:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-67.dsl.lsan03.pacbell.net [63.207.60.67]) by hub.freebsd.org (Postfix) with ESMTP id 1BB5437B491 for ; Tue, 13 Feb 2001 19:33:49 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id BEAE366B26; Tue, 13 Feb 2001 19:33:48 -0800 (PST) Date: Tue, 13 Feb 2001 19:33:48 -0800 From: Kris Kennaway To: Igor Roshchin Cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:24.ssh Message-ID: <20010213193348.C61478@mollari.cthul.hu> References: <200102140320.WAA59845@giganda.komkon.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="lMM8JwqTlfDpEaS6" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200102140320.WAA59845@giganda.komkon.org>; from str@giganda.komkon.org on Tue, Feb 13, 2001 at 10:20:59PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --lMM8JwqTlfDpEaS6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 13, 2001 at 10:20:59PM -0500, Igor Roshchin wrote: > > OpenSSH is installed if you chose to install the 'crypto' distribution > > at install-time or when compiling from source, and is installed and > > enabled by default as of FreeBSD 4.1.1-RELEASE. By default SSH1 > > protocol support is enabled. >=20 > Excuse me pointing to a similar point in the last few advisories, > but , again, for some reason earlier releases 4.0 and 4.1 are forgotten. > While the advisory includes those releases in the list > of vulnerable systems, the paragraph quoted above tells that > OpenSSH is install as of FreeBSD 4.1.1-RELEASE. > However, I see that 4.0-RELEASE had OpenSSH-1.2.2 > and it is, according to the quote below is vulnerable. If you look at http://www.freebsd.org/security we only claim to provide security support for the most recent version of FreeBSD (4.2-RELEASE) and after. Historically this is all we've done, although recently we've been doing some support for older versions as well (e.g. 4.1.1). However it is very time-consuming to do this, and I just didn't have time to generate and test patches for older releases this time around. If someone submits patches for older releases we'll update the advisory. Kris --lMM8JwqTlfDpEaS6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6ifycWry0BWjoQKURAliuAKDI6r+VAY3s5aItN+bYfMYFbs8o7ACfYqEB bwUj3+mN81XmIhvyQVZgk/Y= =99DF -----END PGP SIGNATURE----- --lMM8JwqTlfDpEaS6-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message