Date: Tue, 21 Oct 2003 23:30:23 -0700 (PDT) From: Peter Pentchev <roam@ringlet.net> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/58153: 4.9 default with vulnerable openssh 3.5 Message-ID: <200310220630.h9M6UNNB004027@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/58153; it has been noted by GNATS. From: Peter Pentchev <roam@ringlet.net> To: "Jin Guojun [NCS]" <j_guojun@lbl.gov> Cc: bug-followup@freebsd.org Subject: Re: bin/58153: 4.9 default with vulnerable openssh 3.5 Date: Wed, 22 Oct 2003 09:25:48 +0300 --tjCHc7DPkfUGtrlw Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Oct 21, 2003 at 11:20:01AM -0700, Jin Guojun [NCS] wrote: > Daan van de Linde wrote: >=20 > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > > >Description: > > > 4.9 (current RC2) is still distributing openssh 3.5p1 > > > which is a vulnerable version of openssh. > > > For 4.9-RELEASE, this needs to be changed to openssh-3.7p2 > > > > It should be changed to openssh 3.7.1p2. > > I vaguely remember that the base-ssh (3.5) was patched for the > > vurlnerability's. Can be checked by the freebsd admendum in the > > sshd_config. > > > > - --Daan >=20 > The 4.9-RC3 still has 3.5p1. It is hard to tell if it is patched. > If it is patched, the banner should be changed at least. Otherwise, > it is not very useful, because users have no idea if this is secure. >=20 > Also, the security scan is based on the banner. Once they saw > a such old version, they will simply block connections to 4.9 > hosts. As Daan wrote, you can check whether the server is patched or not by examining its version addendum string. If you take a look at the actual FreeBSD security advisories, specifically FreeBSD-SA-03:12 (released on September 17th) and FreeBSD-SA-03:15 (released on October 5th), linked =66rom the http://www.FreeBSD.org/ website, you can see that at the end of the advisories there are procedures for checking whether the patches have been applied, and those procedures specifically check the SSH version addendum string ('FreeBSD-20030924' for the last advisory). Also, the version addendum string *is* displayed in the banner; any scanner software should be able to tell the difference between 'SSH-1.99-OpenSSH_3.5p1' (the plain vanilla OpenSSH 3.5p1 banner) and 'SSH-1.99-OpenSSH_3.5p1 FreeBSD-20030924' (the banner displayed by the patched OpenSSH server in the RELENG_4 branch - the one in 4.9RC3 and the upcoming 4.9RC). Thus, yes, the SSH server's banner does indeed give sufficient indication that the SSH vulnerabilities have been patched. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 What would this sentence be like if pi were 3? --tjCHc7DPkfUGtrlw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/liLr7Ri2jRYZRVMRAlcmAJ9pk2P09h4yCRfnDU1zxeikk6qslQCgtmrU 4xW65yhFVc1Bxs1V/TuP/so= =tQfr -----END PGP SIGNATURE----- --tjCHc7DPkfUGtrlw--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200310220630.h9M6UNNB004027>