From owner-freebsd-security Fri Mar 16 12:23:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-202.dsl.lsan03.pacbell.net [63.207.60.202]) by hub.freebsd.org (Postfix) with ESMTP id C153037B71A for ; Fri, 16 Mar 2001 12:23:26 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 530D266B25; Fri, 16 Mar 2001 12:23:26 -0800 (PST) Date: Fri, 16 Mar 2001 12:23:26 -0800 From: Kris Kennaway To: Shoichi Sakane , kris@obsecurity.org, freebsd-security@FreeBSD.ORG Subject: Re: What's vunerable? Message-ID: <20010316122326.A98524@mollari.cthul.hu> References: <20010316014004.A86953@mollari.cthul.hu> <20010316192556Q.sakane@ydc.co.jp> <20010316144417.A22302@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="HcAYCG3uE/tztfnV" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010316144417.A22302@ringworld.oblivion.bg>; from roam@orbitel.bg on Fri, Mar 16, 2001 at 02:44:17PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --HcAYCG3uE/tztfnV Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 16, 2001 at 02:44:17PM +0200, Peter Pentchev wrote: > On Fri, Mar 16, 2001 at 07:25:56PM +0900, Shoichi Sakane wrote: > > > > What I really need to know is what vulnerabilities exist on each bo= x - > > > > so that I can present the boss with a risk assessment, and make him > > > > decide if the box stays as is, or gets a make world. > >=20 > > > Read the advisories. > >=20 > > why don't the maintener of the ports of openssh make upgrade its versio= n ? > > current version of the ports is openssh 2.2.0 which has some vulnerabil= ity. >=20 > The version of OpenSSH in the ports tree is not plain 2.2.0, but 2.2.0 > 'port revision' 2. The 'port revision' was bumped twice to indicate > important security fixes. The 'some vulnerability' you are referring to > is probably the Bleichenbacher attack, which affected nearly all SSH > servers at the time; a fix was prompty added to the FreeBSD port. The above is correct, as is noted in the relevant FreeBSD advisory on OpenS= SH :-) Kris --HcAYCG3uE/tztfnV Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6snY+Wry0BWjoQKURAkyZAJ9MoG4EY5PHgC0/UUdseqHgUG9IuQCfXC+l qaJTMVjqbYkLF+LvqwvK5y0= =KDt7 -----END PGP SIGNATURE----- --HcAYCG3uE/tztfnV-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message