From owner-freebsd-doc  Sun Mar 10 10:20: 4 2002
Delivered-To: freebsd-doc@freebsd.org
Received: from mail.ruhr.de (in-ruhr4.ruhr.de [212.23.134.2])
	by hub.freebsd.org (Postfix) with SMTP id 8212237B404
	for <freebsd-doc@FreeBSD.org>; Sun, 10 Mar 2002 10:19:58 -0800 (PST)
Received: (qmail 12903 invoked by uid 10); 10 Mar 2002 18:19:56 -0000
Received: (from ue@localhost)
	by nathan.ruhr.de (8.11.6/8.11.2) id g2AICUj15256;
	Sun, 10 Mar 2002 19:12:30 +0100 (CET)
	(envelope-from ue)
Date: Sun, 10 Mar 2002 19:12:30 +0100
From: Udo Erdelhoff <ue@nathan.ruhr.de>
To: freebsd-doc@FreeBSD.org
Cc: "Bruce A. Mah" <bmah@FreeBSD.org>
Subject: Re: cvs commit: src/release/doc/en_US.ISO8859-1/relnotes/common new.sgml
Message-ID: <20020310191230.E89278@nathan.ruhr.de>
Mail-Followup-To: freebsd-doc@FreeBSD.org,
	"Bruce A. Mah" <bmah@FreeBSD.org>
References: <200203090112.g291C4A36851@freefall.freebsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <200203090112.g291C4A36851@freefall.freebsd.org>
User-Agent: Mutt/1.3.22.1i
Sender: owner-freebsd-doc@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-doc.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-doc>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-doc>
X-Loop: FreeBSD.org

Hi,
On Fri, Mar 08, 2002 at 05:12:04PM -0800, Bruce A. Mah wrote:
>   1.297     +4 -2      src/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml

I think there is a small typo/omission in the entry:

] This bug could have allowed an authenticated remote user to cause
] &man.sshd.8; to execute arbitrary code with superuser privileges,

This part is correct and clear: A 'bad' client can abuse the server

] or allowed a connecting SSH client to execute arbitrary
] code with the privileges of the client user. 

but I think this part should be clearer.  According to the advisories
I have read, a 'bad' server can abuse the client.  My suggestion
is to replace this part with "or allowed a malicous SSH server to
execute arbitrary code on the client system with the privileges of
the client user".

/s/Udo
-- 
Ruhig meine Brüder im Geiste. Müßt Ihr Euch an einem Montag morgen
gegenseitig so an die Karre pissen?? Habt Ihr denn keine Anwender
an denen Ihr Euren Unmut auslassen könnt???

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message