Date: Tue, 2 Jul 2002 11:33:13 -0400 From: "Peter Brezny" <peter@skyrunner.net> To: "Buki" <dev@null.cz> Cc: <freebsd-security@freebsd.org> Subject: RE: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response Message-ID: <NEBBIGLHNDFEJMMIEGOOKEHLFCAA.peter@skyrunner.net> In-Reply-To: <20020702161250.A57959@veverka.sh.cvut.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
Buki, Thanks very much for asuaging my fears. I looked through the security list archives for a little while looking for some more on the subject, but didn't come up with anything definitive. It would be really helpful for the security team to release an official notice letting us know that we're not in deep dodo here. It's particularly scarry when the advisories out there say there's a problem, but it's hard to find specific examples of why it's not a problem on freebsd. If you have any direct refs you could point me to, that would be great. I also need to update my knowledge of acronyms,...what's YMMV stand for? Thanks again, pb Peter Brezny Skyrunner.net -----Original Message----- From: Buki [mailto:dev@null.cz] Sent: Tuesday, July 02, 2002 10:13 AM To: Peter Brezny Cc: freebsd-security@FreeBSD.ORG Subject: Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response On Tue, Jul 02, 2002 at 08:47:37AM -0400, Peter Brezny wrote: > I've been trying to get clear on whether or not freebsd-stable (4.6-STABLE > FreeBSD 4.6-STABLE #0: Sat Jun 29 00:37:13 EDT 2002) has resolved the > problem listed in CA-2002-18 from CERT. > > it doesn't appear so since it's running Openssh_2.9 and > http://openssh.org/txt/preauth.adv clearly says that freebsd is vulnerable. > > > I _THOUGHT_ i found something on the freebsd site stating that OpenSSH_2.9 > FreeBSD localisations 20020307 was not vulnerable, however, I can't find it > now. > > Since there doesn't appear to be a security advisory or notice from the > freebsd security team on this one yet, what's the best thing to do? the Best Thing(tm) is to stay calm :) > > Manually update to openssh 3.4? Is an update to the base system in the > works? > you may either manually upgrade to OpenSSH 3.4 (/usr/ports/security/openssh-portable) or stick with base OpenSSH 2.9 localisation 20020307 as it is secure as many people on this list said before. But YMMV. > TIA > > > Peter Brezny > Skyrunner.net > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Buki -- PGP public key: http://dev.null.cz/buki.asc /"\ \ / ASCII Ribbon Campaign X Against HTML & Outlook Mail / \ http://www.thebackrow.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NEBBIGLHNDFEJMMIEGOOKEHLFCAA.peter>