From owner-freebsd-security Thu May 31 18:41:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from yez.hyperreal.org (gate.sp.collab.net [64.211.228.36]) by hub.freebsd.org (Postfix) with SMTP id 332E637B423 for ; Thu, 31 May 2001 18:41:33 -0700 (PDT) (envelope-from brian@collab.net) Received: (qmail 57955 invoked by uid 1000); 1 Jun 2001 01:42:27 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 1 Jun 2001 01:42:27 -0000 Date: Thu, 31 May 2001 18:42:27 -0700 (PDT) From: Brian Behlendorf X-X-Sender: To: Alex Holst Cc: Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) In-Reply-To: <20010601013041.A32818@area51.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 1 Jun 2001, Alex Holst wrote: > That should be verified often with scanssh or something similar. I am sure it was 2.2.0. I had done a make buildworld Jan 31st but hadn't done a make installworld since Jan 12th, before the fix went in. Dumb dumb. > I was surprised when I read about the compromise, because it gives the > impression that people are still using passwords (as opposed to keys > with passphrases) for authentication in this day and age. Is that > correct? If so, why is that? CVS pserver. Yes, there is a long term plan to do away with the insecurities inherent in distributed CVS development: http://subversion.tigris.org/. Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message