From owner-freebsd-security  Tue Jul  2  7:12:57 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B790A37B400
	for <freebsd-security@FreeBSD.ORG>; Tue,  2 Jul 2002 07:12:53 -0700 (PDT)
Received: from service.sh.cvut.cz (service.sh.cvut.cz [147.32.127.214])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0B01043E0A
	for <freebsd-security@FreeBSD.ORG>; Tue,  2 Jul 2002 07:12:53 -0700 (PDT)
	(envelope-from M.Kozlovsky@sh.cvut.cz)
Received: from veverka.sh.cvut.cz (veverka.sh.cvut.cz [147.32.127.216])
	by service.sh.cvut.cz (Postfix) with ESMTP
	id C747A1E93C; Tue,  2 Jul 2002 16:11:51 +0200 (CEST)
Received: (from buki@localhost)
	by veverka.sh.cvut.cz (8.9.3/8.9.2) id QAA66060;
	Tue, 2 Jul 2002 16:12:50 +0200 (CEST)
	(envelope-from buki)
Date: Tue, 2 Jul 2002 16:12:50 +0200
From: Buki <dev@null.cz>
To: Peter Brezny <peter@skyrunner.net>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response
Message-ID: <20020702161250.A57959@veverka.sh.cvut.cz>
References: <NEBBIGLHNDFEJMMIEGOOGEHGFCAA.peter@skyrunner.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0.1i
In-Reply-To: <NEBBIGLHNDFEJMMIEGOOGEHGFCAA.peter@skyrunner.net>; from peter@skyrunner.net on Tue, Jul 02, 2002 at 08:47:37AM -0400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Tue, Jul 02, 2002 at 08:47:37AM -0400, Peter Brezny wrote:
> I've been trying to get clear on whether or not freebsd-stable (4.6-STABLE
> FreeBSD 4.6-STABLE #0: Sat Jun 29 00:37:13 EDT 2002) has resolved the
> problem listed in CA-2002-18 from CERT.
> 
> it doesn't appear so since it's running Openssh_2.9 and
> http://openssh.org/txt/preauth.adv  clearly says that freebsd is vulnerable.
> 
> 
> I _THOUGHT_ i found something on the freebsd site stating that OpenSSH_2.9
> FreeBSD localisations 20020307 was not vulnerable, however, I can't find it
> now.
> 
> Since there doesn't appear to be a security advisory or notice from the
> freebsd security team on this one yet, what's the best thing to do?

the Best Thing(tm) is to stay calm :)

> 
> Manually update to openssh 3.4?  Is an update to the base system in the
> works?
>

you may either manually upgrade to OpenSSH 3.4 (/usr/ports/security/openssh-portable)
or stick with base OpenSSH 2.9 localisation 20020307 as it is secure as many
people on this list said before. But YMMV.
 
> TIA
> 
> 
> Peter Brezny
> Skyrunner.net
> 
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

Buki
-- 
PGP public key: http://dev.null.cz/buki.asc

		/"\
		\ /     ASCII Ribbon Campaign
		 X      Against HTML & Outlook Mail
		/ \     http://www.thebackrow.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message