From owner-freebsd-security Wed Feb 14 11:52:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 6F84A37B401 for ; Wed, 14 Feb 2001 11:52:30 -0800 (PST) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id MAA02865; Wed, 14 Feb 2001 12:52:02 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id MAA25447; Wed, 14 Feb 2001 12:52:01 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14986.57825.251227.67134@nomad.yogotech.com> Date: Wed, 14 Feb 2001 12:52:01 -0700 (MST) To: Kris Kennaway Cc: Igor Roshchin , security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:24.ssh In-Reply-To: <20010213193348.C61478@mollari.cthul.hu> References: <200102140320.WAA59845@giganda.komkon.org> <20010213193348.C61478@mollari.cthul.hu> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > OpenSSH is installed if you chose to install the 'crypto' distribution > > > at install-time or when compiling from source, and is installed and > > > enabled by default as of FreeBSD 4.1.1-RELEASE. By default SSH1 > > > protocol support is enabled. > > > > Excuse me pointing to a similar point in the last few advisories, > > but , again, for some reason earlier releases 4.0 and 4.1 are forgotten. > > While the advisory includes those releases in the list > > of vulnerable systems, the paragraph quoted above tells that > > OpenSSH is install as of FreeBSD 4.1.1-RELEASE. > > However, I see that 4.0-RELEASE had OpenSSH-1.2.2 > > and it is, according to the quote below is vulnerable. > > If you look at http://www.freebsd.org/security we only claim to > provide security support for the most recent version of FreeBSD > (4.2-RELEASE) and after. I agree that 'support' is one thing, but at least mentioning which releases are effected by this bug would be good. Most of the other vendors list all of their 'effected' releases as being effected or not, and since most of the deployed FreeBSD systems are *NOT* running 4.2R, this is of great benefit to the users. The BIND/NAMED was an example of explaining how to determine if the system was vulnerable. The OpenSSH was an example of a advisory that was not as helpful. Other information that would have been useful is a mention of whether the 'ssh1/ssh2' ports (www.ssh.org) in FreeBSD are vulnerable, etc... Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message