Date: Tue, 21 Oct 2003 11:20:01 -0700 From: "Jin Guojun [NCS]" <j_guojun@lbl.gov> To: freebsd-bugs@freebsd.org Subject: Re: bin/58153: 4.9 default with vulnerable openssh 3.5 Message-ID: <3F9578D1.36470223@lbl.gov> References: <200310162336.h9GNafBv000304@hal.ee.lbl.gov> <20031017072412.Y39762@unit.xs4all.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
Daan van de Linde wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > >Description:
> > 4.9 (current RC2) is still distributing openssh 3.5p1
> > which is a vulnerable version of openssh.
> > For 4.9-RELEASE, this needs to be changed to openssh-3.7p2
>
> It should be changed to openssh 3.7.1p2.
> I vaguely remember that the base-ssh (3.5) was patched for the
> vurlnerability's. Can be checked by the freebsd admendum in the
> sshd_config.
>
> - --Daan
The 4.9-RC3 still has 3.5p1. It is hard to tell if it is patched.
If it is patched, the banner should be changed at least. Otherwise,
it is not very useful, because users have no idea if this is secure.
Also, the security scan is based on the banner. Once they saw
a such old version, they will simply block connections to 4.9
hosts.
-Jin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F9578D1.36470223>