From owner-freebsd-security Tue Jul 2 8:36:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F1EE37B400 for ; Tue, 2 Jul 2002 08:36:06 -0700 (PDT) Received: from rack.purplecat.net (rack.purplecat.net [208.133.44.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6409743E09 for ; Tue, 2 Jul 2002 08:36:05 -0700 (PDT) (envelope-from peter@skyrunner.net) Received: (qmail 38065 invoked from network); 2 Jul 2002 15:36:21 -0000 Received: from unknown (HELO micron) (208.150.25.130) by mx1.skyrunner.net with SMTP; 2 Jul 2002 15:36:21 -0000 Reply-To: From: "Peter Brezny" To: "Buki" Cc: Subject: RE: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response Date: Tue, 2 Jul 2002 11:33:13 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 In-Reply-To: <20020702161250.A57959@veverka.sh.cvut.cz> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Buki, Thanks very much for asuaging my fears. I looked through the security list archives for a little while looking for some more on the subject, but didn't come up with anything definitive. It would be really helpful for the security team to release an official notice letting us know that we're not in deep dodo here. It's particularly scarry when the advisories out there say there's a problem, but it's hard to find specific examples of why it's not a problem on freebsd. If you have any direct refs you could point me to, that would be great. I also need to update my knowledge of acronyms,...what's YMMV stand for? Thanks again, pb Peter Brezny Skyrunner.net -----Original Message----- From: Buki [mailto:dev@null.cz] Sent: Tuesday, July 02, 2002 10:13 AM To: Peter Brezny Cc: freebsd-security@FreeBSD.ORG Subject: Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response On Tue, Jul 02, 2002 at 08:47:37AM -0400, Peter Brezny wrote: > I've been trying to get clear on whether or not freebsd-stable (4.6-STABLE > FreeBSD 4.6-STABLE #0: Sat Jun 29 00:37:13 EDT 2002) has resolved the > problem listed in CA-2002-18 from CERT. > > it doesn't appear so since it's running Openssh_2.9 and > http://openssh.org/txt/preauth.adv clearly says that freebsd is vulnerable. > > > I _THOUGHT_ i found something on the freebsd site stating that OpenSSH_2.9 > FreeBSD localisations 20020307 was not vulnerable, however, I can't find it > now. > > Since there doesn't appear to be a security advisory or notice from the > freebsd security team on this one yet, what's the best thing to do? the Best Thing(tm) is to stay calm :) > > Manually update to openssh 3.4? Is an update to the base system in the > works? > you may either manually upgrade to OpenSSH 3.4 (/usr/ports/security/openssh-portable) or stick with base OpenSSH 2.9 localisation 20020307 as it is secure as many people on this list said before. But YMMV. > TIA > > > Peter Brezny > Skyrunner.net > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Buki -- PGP public key: http://dev.null.cz/buki.asc /"\ \ / ASCII Ribbon Campaign X Against HTML & Outlook Mail / \ http://www.thebackrow.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message