From owner-freebsd-ports@FreeBSD.ORG Thu Sep 18 04:17:16 2003 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B4CC616A4B3; Thu, 18 Sep 2003 04:17:16 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id B283C43F75; Thu, 18 Sep 2003 04:17:14 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) h8IBGTeC057504 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 18 Sep 2003 12:17:09 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)h8IBGT8h057462; Thu, 18 Sep 2003 12:16:29 +0100 (BST) (envelope-from matthew) Date: Thu, 18 Sep 2003 12:16:29 +0100 From: Matthew Seaman To: Johannes Angeldorff Message-ID: <20030918111629.GA59821@happy-idiot-talk.infracaninophile.co.uk> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="OXfL5xGRrasGEqWY" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-11.5 required=5.0 tests=AWL,BAYES_01,EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE_2, QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT autolearn=ham version=2.55 X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: dinoex@freebsd.org cc: ports@freebsd.org Subject: Re: FreeBSD Port: openssh-3.6.1 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 11:17:16 -0000 --OXfL5xGRrasGEqWY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 18, 2003 at 12:49:21PM +0200, Johannes Angeldorff wrote: > Dear dinoex, >=20 > We use OpenSSH on our FreeBSD servers. >=20 > Today I saw this new insecurity at Cert: > http://www.cert.org/advisories/CA-2003-24.html >=20 > My question: When will OpenSSH 3.7.1 be available in Ports? >=20 > Do you recommend installing it before it is available in Ports? Please read the FreeBSD advisory at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:12.openssh.= asc All release branches since RELENG_4_3, as well as 4-STABLE and 5-CURRENT, and both openssh ports were patched between 14:46 and 16:25 UTC on 17th September. This includes the vulnerabilities covered by the second revision of the advisory from OpenSSH (http://www.openssh.com/txt/buffer.adv) As we're officially in the ports freeze before the release of 4.9 it's quite likely that the full update to 3.7.1p1 won't happen until the freeze has been lifted. However, since the release has been put back a few weeks, portmgr@ might see fit to permit the update sooner. In any case, so long as you update your system or ports to the latest available, you're covered against the vulnerability. No further action need be taken. There's no need to switch to the ports version of openssh from the base system version, or vice versa on account of this problem. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --OXfL5xGRrasGEqWY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/aZQNdtESqEQa7a0RAjjjAKCVN26Id11eIqRCc9WqdPdgDB9wTwCcDuLc bcdNAAUm6IcdEMzdsJwSXu0= =f24s -----END PGP SIGNATURE----- --OXfL5xGRrasGEqWY--