From owner-freebsd-security@FreeBSD.ORG  Tue Nov 19 15:54:25 2013
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: FreeBSD-security@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id D4F5168F
 for <FreeBSD-security@FreeBSD.org>; Tue, 19 Nov 2013 15:54:25 +0000 (UTC)
Received: from yoshi.bluerosetech.com (yoshi.bluerosetech.com [174.136.100.66])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id C06FA296D
 for <FreeBSD-security@FreeBSD.org>; Tue, 19 Nov 2013 15:54:25 +0000 (UTC)
Received: from chombo.houseloki.net (unknown
 [IPv6:2601:7:1680:365:21c:c0ff:fe7f:96ee])
 by yoshi.bluerosetech.com (Postfix) with ESMTPSA id B1442E606C;
 Tue, 19 Nov 2013 07:54:19 -0800 (PST)
Received: from [IPv6:2601:7:1680:365:6948:f8a5:e3c:7d9d] (unknown
 [IPv6:2601:7:1680:365:6948:f8a5:e3c:7d9d])
 by chombo.houseloki.net (Postfix) with ESMTPSA id 8DD64E2E;
 Tue, 19 Nov 2013 07:54:18 -0800 (PST)
Message-ID: <528B89A8.1090605@bluerosetech.com>
Date: Tue, 19 Nov 2013 07:54:16 -0800
From: Darren Pilgrim <list_freebsd@bluerosetech.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
To: Paul Hoffman <phoffman@proper.com>, FreeBSD-security@FreeBSD.org
Subject: Re: Question about "FreeBSD Security Advisory
 FreeBSD-SA-13:14.openssh"
References: <20131119102130.90E5C1A3B@nine.des.no>
 <CA731E13-89EC-4DF1-9D81-FDE6C9C0918F@proper.com>
In-Reply-To: <CA731E13-89EC-4DF1-9D81-FDE6C9C0918F@proper.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2013 15:54:25 -0000

On 11/19/2013 7:44 AM, Paul Hoffman wrote:
> Greetings again. Why does this announcement only apply to:
>
>> Affects:        FreeBSD 10.0-BETA
>
> That might be the only version where aes128-gcm and aes256-gcm are in
> the defaults, but other versions of FreeBSD allow you to specify
> cipher lists in /etc/ssh/sshd_config. I would think that you would
> need to update all systems running OpenSSH 6.2 and 6.3, according to
> the CVE. FWIW, when I did a freebsd-update on my 9.2-RELEASE system,
> sshd (6.2) was not updated.

The other requirement for being vulnerable is OpenSSH must be compiled 
with TLS 1.2 support (i.e., linked to OpenSSL v1.0.1 or later).  FreeBSD 
9.2 only has OpenSSL 0.9.8.y.