Date: Tue, 19 Nov 2013 08:14:31 -0800 From: Paul Hoffman <phoffman@proper.com> To: Darren Pilgrim <list_freebsd@bluerosetech.com> Cc: FreeBSD-security@FreeBSD.org Subject: Re: Question about "FreeBSD Security Advisory FreeBSD-SA-13:14.openssh" Message-ID: <F2D089B1-693E-444C-8002-B8A886F197E4@proper.com> In-Reply-To: <528B89A8.1090605@bluerosetech.com> References: <20131119102130.90E5C1A3B@nine.des.no> <CA731E13-89EC-4DF1-9D81-FDE6C9C0918F@proper.com> <528B89A8.1090605@bluerosetech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Nov 19, 2013, at 7:54 AM, Darren Pilgrim <list_freebsd@bluerosetech.com> wrote: > On 11/19/2013 7:44 AM, Paul Hoffman wrote: >> Greetings again. Why does this announcement only apply to: >> >>> Affects: FreeBSD 10.0-BETA >> >> That might be the only version where aes128-gcm and aes256-gcm are in >> the defaults, but other versions of FreeBSD allow you to specify >> cipher lists in /etc/ssh/sshd_config. I would think that you would >> need to update all systems running OpenSSH 6.2 and 6.3, according to >> the CVE. FWIW, when I did a freebsd-update on my 9.2-RELEASE system, >> sshd (6.2) was not updated. > > The other requirement for being vulnerable is OpenSSH must be compiled with TLS 1.2 support (i.e., linked to OpenSSL v1.0.1 or later). FreeBSD 9.2 only has OpenSSL 0.9.8.y. Very clear explanation, thanks! (I note that this wasn't even hinted at in the CVE...) --Paul Hoffman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F2D089B1-693E-444C-8002-B8A886F197E4>