From owner-freebsd-security  Wed Feb 14 12:25:11 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mobile.hub.org (mobile.acadiau.ca [131.162.137.70])
	by hub.freebsd.org (Postfix) with ESMTP id 1980C37B491
	for <security@FreeBSD.ORG>; Wed, 14 Feb 2001 12:25:02 -0800 (PST)
Received: from localhost (scrappy@localhost)
	by mobile.hub.org (8.11.1/8.11.1) with ESMTP id f1EJo2q70293;
	Wed, 14 Feb 2001 15:50:06 -0400 (AST)
	(envelope-from scrappy@hub.org)
X-Authentication-Warning: mobile.hub.org: scrappy owned process doing -bs
Date: Wed, 14 Feb 2001 15:50:02 -0400 (AST)
From: The Hermit Hacker <scrappy@hub.org>
To: Nate Williams <nate@yogotech.com>
Cc: Kris Kennaway <kris@obsecurity.org>,
	Igor Roshchin <str@giganda.komkon.org>, <security@FreeBSD.ORG>
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:24.ssh
In-Reply-To: <14986.57825.251227.67134@nomad.yogotech.com>
Message-ID: <Pine.BSF.4.33.0102141549320.421-100000@mobile.hub.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, 14 Feb 2001, Nate Williams wrote:

> > > > OpenSSH is installed if you chose to install the 'crypto' distribution
> > > > at install-time or when compiling from source, and is installed and
> > > > enabled by default as of FreeBSD 4.1.1-RELEASE.  By default SSH1
> > > > protocol support is enabled.
> > >
> > > Excuse me pointing to a similar point in the last few advisories,
> > > but , again, for some reason earlier releases 4.0 and 4.1 are forgotten.
> > > While the advisory includes those releases in the list
> > > of vulnerable systems, the paragraph quoted above tells that
> > > OpenSSH is install as of FreeBSD 4.1.1-RELEASE.
> > > However, I see that 4.0-RELEASE had OpenSSH-1.2.2
> > > and it is, according to the quote below is vulnerable.
> >
> > If you look at http://www.freebsd.org/security we only claim to
> > provide security support for the most recent version of FreeBSD
> > (4.2-RELEASE) and after.
>
> I agree that 'support' is one thing, but at least mentioning which
> releases are effected by this bug would be good.
>
> Most of the other vendors list all of their 'effected' releases as being
> effected or not, and since most of the deployed FreeBSD systems are
> *NOT* running 4.2R, this is of great benefit to the users.

If nothing else, by listed anything before 4.2R as *being* vulnerable, but
unsupported, you give ppl one more incentive to dive into upgrading ...




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message