From owner-freebsd-bugs@FreeBSD.ORG  Tue Oct 21 11:19:59 2003
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 22CE416A4B3
	for <freebsd-bugs@freebsd.org>; Tue, 21 Oct 2003 11:19:59 -0700 (PDT)
Received: from adsl-63-198-35-122.dsl.snfc21.pacbell.net
	(adsl-63-198-35-122.dsl.snfc21.pacbell.net [63.198.35.122])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 41ACD43FBF
	for <freebsd-bugs@freebsd.org>; Tue, 21 Oct 2003 11:19:58 -0700 (PDT)
	(envelope-from j_guojun@lbl.gov)
Received: from lbl.gov (localhost.pacbell.net [127.0.0.1])
	ESMTP id h9LIK1bf000516
	for <freebsd-bugs@freebsd.org>; Tue, 21 Oct 2003 11:20:01 -0700 (PDT)
	(envelope-from j_guojun@lbl.gov)
Sender: jin@adsl-63-198-35-122.dsl.snfc21.pacbell.net
Message-ID: <3F9578D1.36470223@lbl.gov>
Date: Tue, 21 Oct 2003 11:20:01 -0700
From: "Jin Guojun [NCS]" <j_guojun@lbl.gov>
X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.8-RELEASE i386)
X-Accept-Language: zh, zh-CN, en-US, en
MIME-Version: 1.0
To: freebsd-bugs@freebsd.org
References: <200310162336.h9GNafBv000304@hal.ee.lbl.gov>
	<20031017072412.Y39762@unit.xs4all.nl>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: Re: bin/58153: 4.9 default with vulnerable openssh 3.5
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Oct 2003 18:19:59 -0000

Daan van de Linde wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > >Description:
> >       4.9 (current RC2) is still distributing openssh 3.5p1
> >       which is a vulnerable version of openssh.
> >       For 4.9-RELEASE, this needs to be changed to openssh-3.7p2
>
> It should be changed to openssh 3.7.1p2.
> I vaguely remember that the base-ssh (3.5) was patched for the
> vurlnerability's. Can be checked by the freebsd admendum in the
> sshd_config.
>
> - --Daan

The 4.9-RC3 still has 3.5p1. It is hard to tell if it is patched.
If it is patched, the banner should be changed at least. Otherwise,
it is not very useful, because users have no idea if this is secure.

Also, the security scan is based on the banner. Once they saw
a such old version, they will simply block  connections to 4.9
hosts.

    -Jin