From owner-freebsd-security  Tue Jul  2 18: 3:54 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3ED2637B400
	for <freebsd-security@freebsd.org>; Tue,  2 Jul 2002 18:03:51 -0700 (PDT)
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C1F9743E0A
	for <freebsd-security@freebsd.org>; Tue,  2 Jul 2002 18:03:50 -0700 (PDT)
	(envelope-from des@ofug.org)
Received: by flood.ping.uio.no (Postfix, from userid 2602)
	id 55615534A; Wed,  3 Jul 2002 03:03:47 +0200 (CEST)
X-URL: http://www.ofug.org/~des/
X-Disclaimer: The views expressed in this message do not necessarily
  coincide with those of any organisation or company with
  which I am or have been affiliated.
To: "Peter Brezny" <peter@skyrunner.net>
Cc: <freebsd-security@freebsd.org>
Subject: Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response
References: <NEBBIGLHNDFEJMMIEGOOGEHGFCAA.peter@skyrunner.net>
From: Dag-Erling Smorgrav <des@ofug.org>
Date: 03 Jul 2002 03:03:46 +0200
In-Reply-To: <NEBBIGLHNDFEJMMIEGOOGEHGFCAA.peter@skyrunner.net>
Message-ID: <xzpk7od8vwt.fsf@flood.ping.uio.no>
Lines: 24
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

"Peter Brezny" <peter@skyrunner.net> writes:
> I've been trying to get clear on whether or not freebsd-stable (4.6-STABLE
> FreeBSD 4.6-STABLE #0: Sat Jun 29 00:37:13 EDT 2002) has resolved the
> problem listed in CA-2002-18 from CERT.
> 
> it doesn't appear so since it's running Openssh_2.9 and
> http://openssh.org/txt/preauth.adv  clearly says that freebsd is vulnerable.

I don't know how many times I have to say this:

        FreeBSD-STABLE's version of OpenSSH is not vulnerable.

Anyone who tells you otherwise is lying or misinformed.

The OpenBSD advisory is (quite possibly intentionally) misleading.  It
lists FreeBSD as vulnerable becaue FreeBSD-CURRENT was, for about
three months (late March to late June 2002).  Note that by the
standards OpenBSD apply to their own software, FreeBSD is not and was
never vulnerable, because no FreeBSD release ever shipped with a
vulnerable version of OpenSSH.

DES
-- 
Dag-Erling Smorgrav - des@ofug.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message