From owner-freebsd-security Thu Nov 29 21:51:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 3C6D637B417 for ; Thu, 29 Nov 2001 21:51:11 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id WAA16771; Thu, 29 Nov 2001 22:50:48 -0700 (MST) Message-Id: <4.3.2.7.2.20011129214449.052ded50@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 29 Nov 2001 21:56:32 -0700 To: Kris Kennaway From: Brett Glass Subject: Re: Lack of evidence for new SSH vulnerability Cc: "f.johan.beisser" , Mauro Dias , security@FreeBSD.ORG In-Reply-To: <20011129184521.B66815@xor.obsecurity.org> References: <4.3.2.7.2.20011129113349.04722900@localhost> <4.3.2.7.2.20011128225341.04672880@localhost> <4.3.2.7.2.20011128221259.04665720@localhost> <20011128214925.P16958-100000@localhost> <4.3.2.7.2.20011128225341.04672880@localhost> <20011128233947.C53604@xor.obsecurity.org> <4.3.2.7.2.20011129113349.04722900@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 07:45 PM 11/29/2001, Kris Kennaway wrote: >Your email described how you upgraded to the latest version of OpenSSH >because you weren't sure whether the version currently in FreeBSD was >affected by the vulnerability described in the CERT and Dittrich >reports. That indicates you had no clue what was going on since both >documents quite clearly refer to versions of OpenSSH which were >included in FreeBSD a year ago, the CERT advisory explicitly >states when the problem was fixed (a year ago), and links to the >FreeBSD advisory which also says clearly that we fixed it a year ago. I knew exactly what was going on, Kris, and think I acted appropriately. The fact that FreeBSD 4.4 (which incorporates 2.3.0) was explicitly mentioned in Dittrich's paper, and that the exploit was being talked about again after a year's time, raised concerns that perhaps an exploit for newer versions had been found. Perhaps my upgrades to 3.0.1p1 were unnecessary except on my older machines, but I'm glad I did them anyway. I might have clobbered other bugs or security holes in the process -- and if there ARE new exploits, I'll have less chance of being hit. Can't be too careful these days; the disclosure-to-automated-exploit window is getting VERY short. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message