Date: Mon, 24 May 2004 16:11:59 -0400 (EDT) From: "Jason M. Leonard" <fuzz@ldc.upenn.edu> To: Vince Hoffman <jhary@unsane.co.uk> Cc: freebsd-questions@freebsd.org Subject: Re: freebsd 5.2.1 openssh hole Message-ID: <20040524155208.G87713@lorax.ldc.upenn.edu> In-Reply-To: <20040524203600.W62977@unsane.co.uk> References: <20040524192344.E6DFE43D2D@mx1.FreeBSD.org> <20040524203600.W62977@unsane.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 24 May 2004, Vince Hoffman wrote: > On Mon, 24 May 2004, Thomas May wrote: > > > Hi, > > > > i have installed the new version 5.2.1 and the ports collection from > > yesterday. i have checked the server > > > > with nessus and I got a security hole warning. > > > > You are running a version of OpenSSH which is older than 3.7.1 > > > > > > > > Versions older than 3.7.1 are vulnerable to a flaw in the buffer management > > I think this should be ammended to "Unpatched Versions older than 3.7.1 > are etc etc ..." > > it looks like its refering to CERT Advisory CA-2003-24i [1], which effects > unpatched versions of less than OpenSSH 3.7.1. however this was patched in > freebsd (base and ports) the same day the advisory came out [2]. > if your worried though, or want the newest version, install ssh from > ports. > > Vince Also keep in mind that nessus is (at times hilariously) unintelligent. Think of it like a lockpick gun. A lockpick gun is a tool that can make opening a lock easier for an experienced locksmith; it is not a tool that magically opens locks. nessus is a tool that can make life easier for an experienced administrator; it is not a magic all-knowing security genie. nessus will give you good advice about where *you should look* to see if there is a problem; beyond that take its "advice" with a salt lick. :Fuzz > > > > functions which might allow an attacker to execute arbitrary commands on > > this > > > > host. > > > > > > > > What can I do ? I have installed openssl from the ports tree, but I got the > > same error. > > > > > > > > > > > > > > > > > > --- > > Outgoing mail is certified Virus Free. > > Checked by AVG anti-virus system (http://www.grisoft.com). > > Version: 6.0.689 / Virus Database: 450 - Release Date: 21.05.2004 > > > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > > [1]http://www.cert.org/advisories/CA-2003-24.html > [2]ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:12.openssh.asc > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040524155208.G87713>