From owner-freebsd-security Fri Jul 5 7:11: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3EA0637B400; Fri, 5 Jul 2002 07:11:04 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9688543E3B; Fri, 5 Jul 2002 07:11:03 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 1B187534B; Fri, 5 Jul 2002 16:11:02 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Trevor Johnson Cc: Mike Tancsa , Ruslan Ermilov , Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1] References: <20020705094314.C73784-100000@blues.jpj.net> From: Dag-Erling Smorgrav Date: 05 Jul 2002 16:11:01 +0200 In-Reply-To: <20020705094314.C73784-100000@blues.jpj.net> Message-ID: Lines: 16 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Trevor Johnson writes: > Use of protocol version 1 makes an insertion attack possible, according to > . That same page also explains that OpenSSH contains code to make such attacks very difficult. > The vulnerability was > published by CORE SDI in June of 1998. I would like to see protocol > version 1 disabled by default, with a note in UPDATING about the change. No. I will not arbitrarily lock users out of their machines. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message