Date: Fri, 16 Mar 2001 12:23:26 -0800 From: Kris Kennaway <kris@obsecurity.org> To: Shoichi Sakane <sakane@ydc.co.jp>, kris@obsecurity.org, freebsd-security@FreeBSD.ORG Subject: Re: What's vunerable? Message-ID: <20010316122326.A98524@mollari.cthul.hu> In-Reply-To: <20010316144417.A22302@ringworld.oblivion.bg>; from roam@orbitel.bg on Fri, Mar 16, 2001 at 02:44:17PM %2B0200 References: <20010316014004.A86953@mollari.cthul.hu> <20010316192556Q.sakane@ydc.co.jp> <20010316144417.A22302@ringworld.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Fri, Mar 16, 2001 at 02:44:17PM +0200, Peter Pentchev wrote: > On Fri, Mar 16, 2001 at 07:25:56PM +0900, Shoichi Sakane wrote: > > > > What I really need to know is what vulnerabilities exist on each box - > > > > so that I can present the boss with a risk assessment, and make him > > > > decide if the box stays as is, or gets a make world. > > > > > Read the advisories. > > > > why don't the maintener of the ports of openssh make upgrade its version ? > > current version of the ports is openssh 2.2.0 which has some vulnerability. > > The version of OpenSSH in the ports tree is not plain 2.2.0, but 2.2.0 > 'port revision' 2. The 'port revision' was bumped twice to indicate > important security fixes. The 'some vulnerability' you are referring to > is probably the Bleichenbacher attack, which affected nearly all SSH > servers at the time; a fix was prompty added to the FreeBSD port. The above is correct, as is noted in the relevant FreeBSD advisory on OpenSSH :-) Kris [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6snY+Wry0BWjoQKURAkyZAJ9MoG4EY5PHgC0/UUdseqHgUG9IuQCfXC+l qaJTMVjqbYkLF+LvqwvK5y0= =KDt7 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010316122326.A98524>