From owner-freebsd-security Tue Jul 2 18:24:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 28B7037B400 for ; Tue, 2 Jul 2002 18:24:24 -0700 (PDT) Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by mx1.FreeBSD.org (Postfix) with ESMTP id B36A143E0A for ; Tue, 2 Jul 2002 18:24:23 -0700 (PDT) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 17PYsY-0003Qz-00 for freebsd-security@FreeBSD.ORG; Tue, 02 Jul 2002 21:24:22 -0400 Date: Tue, 2 Jul 2002 21:24:22 -0400 From: Peter Radcliffe To: freebsd-security@FreeBSD.ORG Subject: Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response Message-ID: <20020703012422.GC9314@pir.net> Reply-To: freebsd-security@freebsd.org Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <200207030109.g6319Ufb008965@apollo.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.27i X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dag-Erling Smorgrav probably said: > As far as I know, named itself is not vulnerable, but libbind contains > the bug, and software that uses libbind's gethost*() (nothing in the > base system does) is vulnerable. Does -STABLE's /usr/bin/dig, host, etc, not use libbind, then ? strings on the binary suggests otherwise. \pir -- pir pir-sig@pir.net pir-sig@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message