From owner-freebsd-security@FreeBSD.ORG  Tue Nov 19 16:14:38 2013
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: FreeBSD-security@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 9EA0EABB
 for <FreeBSD-security@FreeBSD.org>; Tue, 19 Nov 2013 16:14:38 +0000 (UTC)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM
 [IPv6:2605:8e00:100:41::81])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 795B12AA0
 for <FreeBSD-security@FreeBSD.org>; Tue, 19 Nov 2013 16:14:38 +0000 (UTC)
Received: from [10.20.30.90] (50-0-66-41.dsl.dynamic.sonic.net [50.0.66.41])
 (authenticated bits=0)
 by hoffman.proper.com (8.14.7/8.14.7) with ESMTP id rAJGEWIP083201
 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO);
 Tue, 19 Nov 2013 09:14:34 -0700 (MST)
 (envelope-from phoffman@proper.com)
X-Authentication-Warning: hoffman.proper.com: Host
 50-0-66-41.dsl.dynamic.sonic.net [50.0.66.41] claimed to be [10.20.30.90]
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\))
Subject: Re: Question about "FreeBSD Security Advisory
 FreeBSD-SA-13:14.openssh"
From: Paul Hoffman <phoffman@proper.com>
In-Reply-To: <528B89A8.1090605@bluerosetech.com>
Date: Tue, 19 Nov 2013 08:14:31 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <F2D089B1-693E-444C-8002-B8A886F197E4@proper.com>
References: <20131119102130.90E5C1A3B@nine.des.no>
 <CA731E13-89EC-4DF1-9D81-FDE6C9C0918F@proper.com>
 <528B89A8.1090605@bluerosetech.com>
To: Darren Pilgrim <list_freebsd@bluerosetech.com>
X-Mailer: Apple Mail (2.1822)
Cc: FreeBSD-security@FreeBSD.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2013 16:14:38 -0000

On Nov 19, 2013, at 7:54 AM, Darren Pilgrim =
<list_freebsd@bluerosetech.com> wrote:

> On 11/19/2013 7:44 AM, Paul Hoffman wrote:
>> Greetings again. Why does this announcement only apply to:
>>=20
>>> Affects:        FreeBSD 10.0-BETA
>>=20
>> That might be the only version where aes128-gcm and aes256-gcm are in
>> the defaults, but other versions of FreeBSD allow you to specify
>> cipher lists in /etc/ssh/sshd_config. I would think that you would
>> need to update all systems running OpenSSH 6.2 and 6.3, according to
>> the CVE. FWIW, when I did a freebsd-update on my 9.2-RELEASE system,
>> sshd (6.2) was not updated.
>=20
> The other requirement for being vulnerable is OpenSSH must be compiled =
with TLS 1.2 support (i.e., linked to OpenSSL v1.0.1 or later).  FreeBSD =
9.2 only has OpenSSL 0.9.8.y.

Very clear explanation, thanks! (I note that this wasn't even hinted at =
in the CVE...)

--Paul Hoffman=