Date: Mon, 29 Mar 2004 10:58:01 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-questions@freebsd.org Subject: Re: Latest SSH? Message-ID: <20040329095801.GA8239@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <20040329093242.GA5633@khisanth.hopto.org> References: <20040329093242.GA5633@khisanth.hopto.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--2oS5YaxWCcQjTEyO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 29, 2004 at 10:32:42AM +0100, Danny Woods wrote: > Hi all, >=20 > I upgraded from 5.1 to 5.2.1p3 over the weekend, and finished off with a = Nessus > scan to check that ssh was the only port visible to the outside world. De= spite > a recent (i.e. last Thursday) cvsup to sync the source tree, I'm getting a > high severity warning about a hole in SSH based on the version number rep= orted > (3.6.1p1 FreeBSD-20030924). I'm using the core ssh, not the version from = ports. > Does anyone know if this problem is real, or a false-positive? It's false. I assume it's complaining about the problems described in ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:15.openssh.= asc as that's the last OpenSSH advisory published. (Not to be confused with the recent OpenSSL advisory). The security patches supplied fix the vulnerabilities, but they generally don't do that by supplying a whole new version of an application. Import of new versions of such things as OpenSSH will only happen on one of the development branches -- ie. HEAD (5-CURRENT) or RELENG_4 (4.9-STABLE), so RELENG_5_2 will stick with OpenSSH-3.6.1p1 and you'll have to wait until RELENG_5_3 in order to upgrade to OpenSSH-3.8p1 (or whatever the OpenSSH version is by the time 5.3-RELEASE comes out). =20 > As an aside, can sshd be prevented from reporting its version number on > connect, or is this something that a client-app needs to know? The client app needs to know the version of the SSH protocol you're running -- that it gets from the 'SSH-1.99' part at the beginning of the banner ssh emits when you connect to port 22. The rest of what's printed there is not so important. Apart from the 'version addendum' part, you'ld have to hack the source code and recompile to chage what's printed. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --2oS5YaxWCcQjTEyO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAZ/MpdtESqEQa7a0RAk43AJkBqgSQEo/RWklG1SnVA1s8TZEzGQCfbdMK tsTRslfHnN3c+sir4jXUHdM= =LN2L -----END PGP SIGNATURE----- --2oS5YaxWCcQjTEyO--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040329095801.GA8239>