From owner-freebsd-bugs@FreeBSD.ORG Tue Oct 21 23:30:24 2003 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 62D6016A4B3 for ; Tue, 21 Oct 2003 23:30:24 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id BA5AD43FBD for ; Tue, 21 Oct 2003 23:30:23 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h9M6UNFY004028 for ; Tue, 21 Oct 2003 23:30:23 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h9M6UNNB004027; Tue, 21 Oct 2003 23:30:23 -0700 (PDT) (envelope-from gnats) Date: Tue, 21 Oct 2003 23:30:23 -0700 (PDT) Message-Id: <200310220630.h9M6UNNB004027@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Peter Pentchev Subject: Re: bin/58153: 4.9 default with vulnerable openssh 3.5 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Peter Pentchev List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 06:30:24 -0000 The following reply was made to PR bin/58153; it has been noted by GNATS. From: Peter Pentchev To: "Jin Guojun [NCS]" Cc: bug-followup@freebsd.org Subject: Re: bin/58153: 4.9 default with vulnerable openssh 3.5 Date: Wed, 22 Oct 2003 09:25:48 +0300 --tjCHc7DPkfUGtrlw Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Oct 21, 2003 at 11:20:01AM -0700, Jin Guojun [NCS] wrote: > Daan van de Linde wrote: >=20 > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > > >Description: > > > 4.9 (current RC2) is still distributing openssh 3.5p1 > > > which is a vulnerable version of openssh. > > > For 4.9-RELEASE, this needs to be changed to openssh-3.7p2 > > > > It should be changed to openssh 3.7.1p2. > > I vaguely remember that the base-ssh (3.5) was patched for the > > vurlnerability's. Can be checked by the freebsd admendum in the > > sshd_config. > > > > - --Daan >=20 > The 4.9-RC3 still has 3.5p1. It is hard to tell if it is patched. > If it is patched, the banner should be changed at least. Otherwise, > it is not very useful, because users have no idea if this is secure. >=20 > Also, the security scan is based on the banner. Once they saw > a such old version, they will simply block connections to 4.9 > hosts. As Daan wrote, you can check whether the server is patched or not by examining its version addendum string. If you take a look at the actual FreeBSD security advisories, specifically FreeBSD-SA-03:12 (released on September 17th) and FreeBSD-SA-03:15 (released on October 5th), linked =66rom the http://www.FreeBSD.org/ website, you can see that at the end of the advisories there are procedures for checking whether the patches have been applied, and those procedures specifically check the SSH version addendum string ('FreeBSD-20030924' for the last advisory). Also, the version addendum string *is* displayed in the banner; any scanner software should be able to tell the difference between 'SSH-1.99-OpenSSH_3.5p1' (the plain vanilla OpenSSH 3.5p1 banner) and 'SSH-1.99-OpenSSH_3.5p1 FreeBSD-20030924' (the banner displayed by the patched OpenSSH server in the RELENG_4 branch - the one in 4.9RC3 and the upcoming 4.9RC). Thus, yes, the SSH server's banner does indeed give sufficient indication that the SSH vulnerabilities have been patched. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 What would this sentence be like if pi were 3? --tjCHc7DPkfUGtrlw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/liLr7Ri2jRYZRVMRAlcmAJ9pk2P09h4yCRfnDU1zxeikk6qslQCgtmrU 4xW65yhFVc1Bxs1V/TuP/so= =tQfr -----END PGP SIGNATURE----- --tjCHc7DPkfUGtrlw--