Date: Tue, 19 Nov 2013 07:54:16 -0800 From: Darren Pilgrim <list_freebsd@bluerosetech.com> To: Paul Hoffman <phoffman@proper.com>, FreeBSD-security@FreeBSD.org Subject: Re: Question about "FreeBSD Security Advisory FreeBSD-SA-13:14.openssh" Message-ID: <528B89A8.1090605@bluerosetech.com> In-Reply-To: <CA731E13-89EC-4DF1-9D81-FDE6C9C0918F@proper.com> References: <20131119102130.90E5C1A3B@nine.des.no> <CA731E13-89EC-4DF1-9D81-FDE6C9C0918F@proper.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/19/2013 7:44 AM, Paul Hoffman wrote: > Greetings again. Why does this announcement only apply to: > >> Affects: FreeBSD 10.0-BETA > > That might be the only version where aes128-gcm and aes256-gcm are in > the defaults, but other versions of FreeBSD allow you to specify > cipher lists in /etc/ssh/sshd_config. I would think that you would > need to update all systems running OpenSSH 6.2 and 6.3, according to > the CVE. FWIW, when I did a freebsd-update on my 9.2-RELEASE system, > sshd (6.2) was not updated. The other requirement for being vulnerable is OpenSSH must be compiled with TLS 1.2 support (i.e., linked to OpenSSL v1.0.1 or later). FreeBSD 9.2 only has OpenSSL 0.9.8.y.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?528B89A8.1090605>