Date: Wed, 14 Feb 2001 19:05:53 -0800 From: Kris Kennaway <kris@obsecurity.org> To: Nate Williams <nate@yogotech.com> Cc: Kris Kennaway <kris@obsecurity.org>, Igor Roshchin <str@giganda.komkon.org>, security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:24.ssh Message-ID: <20010214190552.C78224@mollari.cthul.hu> In-Reply-To: <14986.57825.251227.67134@nomad.yogotech.com>; from nate@yogotech.com on Wed, Feb 14, 2001 at 12:52:01PM -0700 References: <200102140320.WAA59845@giganda.komkon.org> <20010213193348.C61478@mollari.cthul.hu> <14986.57825.251227.67134@nomad.yogotech.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --]
On Wed, Feb 14, 2001 at 12:52:01PM -0700, Nate Williams wrote:
> I agree that 'support' is one thing, but at least mentioning which
> releases are effected by this bug would be good.
>
> Most of the other vendors list all of their 'effected' releases as being
> effected or not, and since most of the deployed FreeBSD systems are
> *NOT* running 4.2R, this is of great benefit to the users.
> Other information that would have been useful is a mention of whether
> the 'ssh1/ssh2' ports (www.ssh.org) in FreeBSD are vulnerable, etc...
I appreciate the feedback, but as far as I can tell all this
information was actually present in the advisory:
Affects: FreeBSD 4.x, 4.2-STABLE prior to the correction date
Ports collection prior to the correction date.
Corrected: OpenSSH [FreeBSD 4.x base system]:
2000-12-05 (Vulnerability 1)
2001-02-11 (Vulnerability 2)
OpenSSH [ports]:
2001-02-09 (Vulnerability 1)
2001-02-11 (Vulnerability 2)
ssh [ports]:
2001-02-09 (Vulnerability 1)
2001-02-09 (Vulnerability 2)
...
OpenSSH is installed if you chose to install the 'crypto' distribution
at install-time or when compiling from source, and is installed and
enabled by default as of FreeBSD 4.1.1-RELEASE. By default SSH1
protocol support is enabled.
...
An SSH1 client/server (ssh) from ssh.com is included in the ports
collection. This software is not available free of charge for all
uses, and the FreeBSD Security Officer does not recommend its use.
...
If SSH1 protocol support has been disabled in OpenSSH, it is not
vulnerable to these attacks. They do not affect implementations of
the SSH2 protocol, such as OpenSSH run in SSH2-only mode.
Versions of the OpenSSH port prior to openssh-2.2.0_2, and versions
of the ssh port prior to ssh-1.2.27_3 are vulnerable to these attacks.
Kris
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE6i0eQWry0BWjoQKURAjymAKD5ASZjmnZNvJ8nz2BB7RvWTIJl9QCfcJl0
l1UGVFXTpUghQ9Ecwbp/IWc=
=UzEk
-----END PGP SIGNATURE-----
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010214190552.C78224>