Date: Tue, 19 Nov 2013 08:14:31 -0800 From: Paul Hoffman <phoffman@proper.com> To: Darren Pilgrim <list_freebsd@bluerosetech.com> Cc: FreeBSD-security@FreeBSD.org Subject: Re: Question about "FreeBSD Security Advisory FreeBSD-SA-13:14.openssh" Message-ID: <F2D089B1-693E-444C-8002-B8A886F197E4@proper.com> In-Reply-To: <528B89A8.1090605@bluerosetech.com> References: <20131119102130.90E5C1A3B@nine.des.no> <CA731E13-89EC-4DF1-9D81-FDE6C9C0918F@proper.com> <528B89A8.1090605@bluerosetech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Nov 19, 2013, at 7:54 AM, Darren Pilgrim = <list_freebsd@bluerosetech.com> wrote: > On 11/19/2013 7:44 AM, Paul Hoffman wrote: >> Greetings again. Why does this announcement only apply to: >>=20 >>> Affects: FreeBSD 10.0-BETA >>=20 >> That might be the only version where aes128-gcm and aes256-gcm are in >> the defaults, but other versions of FreeBSD allow you to specify >> cipher lists in /etc/ssh/sshd_config. I would think that you would >> need to update all systems running OpenSSH 6.2 and 6.3, according to >> the CVE. FWIW, when I did a freebsd-update on my 9.2-RELEASE system, >> sshd (6.2) was not updated. >=20 > The other requirement for being vulnerable is OpenSSH must be compiled = with TLS 1.2 support (i.e., linked to OpenSSL v1.0.1 or later). FreeBSD = 9.2 only has OpenSSL 0.9.8.y. Very clear explanation, thanks! (I note that this wasn't even hinted at = in the CVE...) --Paul Hoffman=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F2D089B1-693E-444C-8002-B8A886F197E4>