From owner-freebsd-security Mon Mar 19 9:29:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from mine.kame.net (kame195.kame.net [203.178.141.195]) by hub.freebsd.org (Postfix) with ESMTP id 5FADE37B71A for ; Mon, 19 Mar 2001 09:29:44 -0800 (PST) (envelope-from sakane@ydc.co.jp) Received: from localhost ([3ffe:507:1ff:2:260:1dff:fe21:f766]) by mine.kame.net (8.11.1/3.7W) with ESMTP id f2JHViY96126; Tue, 20 Mar 2001 02:31:44 +0900 (JST) To: kris@obsecurity.org Cc: freebsd-security@FreeBSD.ORG Subject: Re: What's vunerable? In-Reply-To: Your message of "Fri, 16 Mar 2001 12:23:26 -0800" <20010316122326.A98524@mollari.cthul.hu> References: <20010316122326.A98524@mollari.cthul.hu> X-Mailer: Cue version 0.6 (010224-1625/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20010320022922E.sakane@ydc.co.jp> Date: Tue, 20 Mar 2001 02:29:22 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 24 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > The version of OpenSSH in the ports tree is not plain 2.2.0, but 2.2.0 > > 'port revision' 2. The 'port revision' was bumped twice to indicate > > important security fixes. The 'some vulnerability' you are referring to > > is probably the Bleichenbacher attack, which affected nearly all SSH > > servers at the time; a fix was prompty added to the FreeBSD port. > The above is correct, as is noted in the relevant FreeBSD advisory on OpenSSH :- ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:24.ssh.asc I couldn't find the word, "Bleichenbacher" in this advisory. Thank you, I understand that the port version is not vulnerable. I compiled and installed 2.2.0 'port revision' 2, and I connected to the ssh port number 22 on localhost. the sshd said, shoichi:~] telnet localhost 22 Trying ::1... Connected to localhost. Escape character is '^]'. SSH-1.99-OpenSSH_2.2.0 I just thought the version was vulnerable. So I think the version should be "SSH-1.99-OpenSSH_2.2.0-port_revision_2" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message