Date: 03 Jul 2002 03:03:46 +0200 From: Dag-Erling Smorgrav <des@ofug.org> To: "Peter Brezny" <peter@skyrunner.net> Cc: <freebsd-security@freebsd.org> Subject: Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response Message-ID: <xzpk7od8vwt.fsf@flood.ping.uio.no> In-Reply-To: <NEBBIGLHNDFEJMMIEGOOGEHGFCAA.peter@skyrunner.net> References: <NEBBIGLHNDFEJMMIEGOOGEHGFCAA.peter@skyrunner.net>
next in thread | previous in thread | raw e-mail | index | archive | help
"Peter Brezny" <peter@skyrunner.net> writes: > I've been trying to get clear on whether or not freebsd-stable (4.6-STABLE > FreeBSD 4.6-STABLE #0: Sat Jun 29 00:37:13 EDT 2002) has resolved the > problem listed in CA-2002-18 from CERT. > > it doesn't appear so since it's running Openssh_2.9 and > http://openssh.org/txt/preauth.adv clearly says that freebsd is vulnerable. I don't know how many times I have to say this: FreeBSD-STABLE's version of OpenSSH is not vulnerable. Anyone who tells you otherwise is lying or misinformed. The OpenBSD advisory is (quite possibly intentionally) misleading. It lists FreeBSD as vulnerable becaue FreeBSD-CURRENT was, for about three months (late March to late June 2002). Note that by the standards OpenBSD apply to their own software, FreeBSD is not and was never vulnerable, because no FreeBSD release ever shipped with a vulnerable version of OpenSSH. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpk7od8vwt.fsf>