From owner-freebsd-security@freebsd.org  Wed Nov  2 14:07:57 2016
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3E9DAC2BEA2
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Wed,  2 Nov 2016 14:07:57 +0000 (UTC)
 (envelope-from martin@lispworks.com)
Received: from lwfs1-cam.cam.lispworks.com (mail.lispworks.com [46.17.166.21])
 by mx1.freebsd.org (Postfix) with ESMTP id 9F8281034
 for <freebsd-security@freebsd.org>; Wed,  2 Nov 2016 14:07:55 +0000 (UTC)
 (envelope-from martin@lispworks.com)
Received: from higson.cam.lispworks.com (higson.cam.lispworks.com
 [192.168.1.7])
 by lwfs1-cam.cam.lispworks.com (8.14.9/8.14.9) with ESMTP id uA2DvHp5074298;
 Wed, 2 Nov 2016 13:57:17 GMT (envelope-from martin@lispworks.com)
Received: from higson.cam.lispworks.com (localhost.localdomain [127.0.0.1]) by
 higson.cam.lispworks.com (8.14.4) id uA2DvHSQ003092;
 Wed, 2 Nov 2016 13:57:17 GMT
Received: (from martin@localhost)
 by higson.cam.lispworks.com (8.14.4/8.14.4/Submit) id uA2DvHMW003088;
 Wed, 2 Nov 2016 13:57:17 GMT
Date: Wed, 2 Nov 2016 13:57:17 GMT
Message-Id: <201611021357.uA2DvHMW003088@higson.cam.lispworks.com>
From: Martin Simmons <martin@lispworks.com>
To: freebsd-security@freebsd.org
In-reply-to: <20161102075533.8BBA114B5@freefall.freebsd.org> (message from
 FreeBSD Security Advisories on Wed, 2 Nov 2016 07:55:33 +0000 (UTC))
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:33.openssh
References: <20161102075533.8BBA114B5@freefall.freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2016 14:07:57 -0000

>>>>> On Wed,  2 Nov 2016 07:55:33 +0000 (UTC), FreeBSD Security Advisories said:
> 
> =============================================================================
> FreeBSD-SA-16:33.openssh                                    Security Advisory
>                                                           The FreeBSD Project
> 
> Topic:          OpenSSH Remote Denial of Service vulnerability
> 
> Category:       contrib
> Module:         OpenSSH
> Announced:      2016-11-02
> Affects:        All supported versions of FreeBSD.
> Corrected:      2016-11-02 06:56:35 UTC (stable/11, 11.0-STABLE)
>                 2016-11-02 07:23:19 UTC (releng/11.0, 11.0-RELEASE-p3)
>                 2016-11-02 06:58:47 UTC (stable/10, 10.3-STABLE)
>                 2016-11-02 07:23:36 UTC (releng/10.3, 10.3-RELEASE-p12)
> CVE Name:       CVE-2016-8858

Should this be corrected in 10.1-RELEASE as well?

I ask because Debian
(https://security-tracker.debian.org/tracker/CVE-2016-8858) has marked it as
vulnerable in OpenSSH 6.0 and OpenSSH 6.7 and it looks like 10.1-RELEASE
contains OpenSSH 6.6, which I assume is also vulnerable.

__Martin