Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 17 Oct 2003 07:28:11 +0200 (CEST)
From:      Daan van de Linde <daan@xs4all.nl>
To:        j_guojun@lbl.gov
Cc:        freebsd-bugs@freebsd.org
Subject:   Re: bin/58153: 4.9 default with vulnerable openssh 3.5
Message-ID:  <20031017072412.Y39762@unit.xs4all.nl>
In-Reply-To: <200310162336.h9GNafBv000304@hal.ee.lbl.gov>
References:  <200310162336.h9GNafBv000304@hal.ee.lbl.gov>

next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> >Description:
>       4.9 (current RC2) is still distributing openssh 3.5p1
>       which is a vulnerable version of openssh.
>       For 4.9-RELEASE, this needs to be changed to openssh-3.7p2

It should be changed to openssh 3.7.1p2.
I vaguely remember that the base-ssh (3.5) was patched for the
vurlnerability's. Can be checked by the freebsd admendum in the
sshd_config.


- --Daan

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.3 (FreeBSD)

mQGiBD4haTgRBACJBq2GZjEe5xL8joJgJPvBECCg/vT9dzLrzbgvbqf2n/OqH3pU
wd5nyHlOxg0cyiOuSjzlrR7JqA/p7yEbHamHWpUHl+pAjbBZn56IftLjYggV/HE+
yjFaT6SiC6DTm5gE8WQjoJBKKJQvYAqSotQWNe53vxpzNffOqqmNeHs46wCgh9xN
Iq6xH0NA7QJIfNYzpzGQtpMD/3CE5Aa29vXbkv6iJYecveCDV0r14M4dgmXGx0qa
O3uGTWOEpSJnfVG00g+siGNt8M4lJQGvUKFZabdYd/1z6Kpel8lU1yC2UCGQl2tr
Y/0a8oHEt44o252ItUITI++5tmw2FcIyeKNsbcU8y6f3Y58sj+RD2GgYhz+T2RrW
jJyBA/9zDmR+OJ5scnfFtpe1YVFhW38boCyo7ljQ29gJV72jTVW4BVYWPiSjKNHX
2ygN2mJnNk/pUsMa06rtJfCtIe38RrjQueA4tHCVx++TuvBmuoKwc034vLQTxrJc
9dRQu2Lk+F0lYrGC38qcxVbKfR9gXZqpoVlqQUDC8OqK2L+inrQiRGFhbiB2YW4g
ZGUgTGluZGUgPGRhYW5AeHM0YWxsLm5sPohfBBMRAgAfBQI+IWk4BQkB0WGABAsH
AwIDFQIDAxYCAQIeAQIXgAAKCRAw40x3vSxDiEfSAJ9K/V9u2FD+k0YOwMOlEJFR
kv6mvwCePckXgGoBkNEueu0aBc2isyvyJPK5BA0EPiFq5RAQAJ0CCK4MtCij+9kv
A8D7FiTc0u5QRkyEF5Kl+MWMHXJ36plMQWUYkBpKVCozF8YcYDJZq3LooDlRnmiq
VqCZtar8eGaYJ6U4jNY9NPkJHVcPfDoheCns0v+YGmMym5ghjjQZSnDf+i7pRn6K
dlo8i+NpRssi7DoNRvL+DSoyuZ6TpvGsY//f8W4b8Gk4ImX6MQOwsr2pgnlmqKeC
fhSzdIStITj/uGRZiRJJXm/rruhPPD2aRSD9suo47uCkIou4SJHNBNtoxIzG1iF1
RJ9RkxxesVRGUY5biVhzabHj5llZdZXnJ/khFU2ZLQz5EF1tqz4DoIlYt4UiaKz7
ks2V72zRSn/miq8bmKcdXVCpMdqvAFONLpp8Y5HehkKpfoQbdJzqGK9T2hLdmxDC
DMA+BI69oXsZLqOdmydwE5Nqn7LOgf0hYdf4IitfBpoWK71IJdd6Og0qDy7tsION
sk9oPU/z4rGas+q5Z3oUquCh9JnR52x7DUC8I2OKwhqnOB3v30D7BrR1d8RC7Iiz
IXOWitC+3y6wREiWW4MwbpXbQ5cVFptyBfUKaTZpciYKBhWtgzdk803BHgz79fUh
RWmYzB+/NadOWTXBBAbxagWCPS5PrzPpiwos3RJcmuvG8x5gv8KJ4NE5BNaoUh36
irCegujuCRBhpRdX70PDMHQAfVPXAAMFEACMywcQ4IgW/ioussh9BMm9dMNVGPA4
cHyU1cWDViDUUr31nBZ+FfFRg1OHZUueM25o/K66pkmvfWo0mhhK3MFKEvO0JrMk
l9t/9HqO9NEX6mRpYhi1ZHe9rTi0mzrkSZyOVZSnQzumKFcSvhHHT45M+TOvt7eE
KR1O+R007PIJa1sVKzEjqANlWJTSgc+gN3VKCNZl/Xp7Wous53Z0M6VKUqnMzYea
MgeB/p0BgKPRAOWq/BBQFZHq2xPqJRJiAdXpy89RLdyLnhghsJkA73pWstseBZnA
GP2on44uFkGT4nj2CvtlWEbMcEBMwL2NvtMo+9u1UGIq+j9QcGdg2VDZgOm7tK8k
6FOyJzBSn9X2yQT7tHWhEDP4mHc0BYJ42cCGIBh7/XmASielK3uQP5w4UJpIYiCh
AjHeg93VZgg8rlNcRTEIkksgrOZ3M80K7GWrMWpfjLeSS3fxMvWeund9+L4Ngq6J
UolLvNA4HfQDj1MMw61g9fnFQPYT/P5inD16Bk0OEAtrpEiUubzEbHgZkIawWiAV
+UUB5v16DfaXQAiPyyQ0USjnOfNP6Yqf+ofzvaafF1m/icmzxfmdPkwL8VIcpQdp
1O4yZCO14s7RVU1Jovf0omO9r6CIZJGBBFAs4wKodeaVj13Kc39wERqHOkcETSb8
4JejNgf3u75YAohMBBgRAgAMBQI+IWrlBQkB0WGAAAoJEDDjTHe9LEOIQY4An19Q
3sVkTTp/QFk0wj+9qeCfkpAVAKCA2nkRRFDVgytNfrxAEnY0v7q2JQ==
=y3KW
- -----END PGP PUBLIC KEY BLOCK-----

On Thu, 16 Oct 2003, Charlie & wrote:

> Date: Thu, 16 Oct 2003 23:36:41 GMT
> From: Charlie & <root@hal.ee.lbl.gov>
> Reply-To: j_guojun@lbl.gov
> To: FreeBSD-gnats-submit@freebsd.org
> Subject: {Scanned} bin/58153: 4.9 default with vulnerable openssh 3.5
> Resent-Date: Thu, 16 Oct 2003 16:40:16 -0700 (PDT)
> Resent-From: FreeBSD-gnats-submit@freebsd.org (GNATS Filer)
> Resent-To: freebsd-bugs@freebsd.org
>
>
> >Number:         58153
> >Category:       bin
> >Synopsis:       4.9 default with vulnerable openssh 3.5
> >Confidential:   no
> >Severity:       serious
> >Priority:       high
> >Responsible:    freebsd-bugs
> >State:          open
> >Quarter:
> >Keywords:
> >Date-Required:
> >Class:          change-request
> >Submitter-Id:   current-users
> >Arrival-Date:   Thu Oct 16 16:40:16 PDT 2003
> >Closed-Date:
> >Last-Modified:
> >Originator:     Charlie &
> >Release:        FreeBSD 4.9-RC2 i386
> >Organization:
> >Environment:
> System: FreeBSD testing4.9.lbl.gov 4.9-RC2 FreeBSD 4.9-RC2 #0: Wed Oct 8 07:44:57 GMT 2003 root@freebsd-stable.sentex.ca:/usr/obj/usr/src/sys/GENERIC i386
>
>
> 	FreeBSD 4.9 only
>
> >Description:
> 	4.9 (current RC2) is still distributing openssh 3.5p1
> 	which is a vulnerable version of openssh.
> 	For 4.9-RELEASE, this needs to be changed to openssh-3.7p2
>
> >How-To-Repeat:
>
> >Fix:
>
> 	build openssh-3.7p2 for formal 4.9-RELEASE
> >Release-Note:
> >Audit-Trail:
> >Unformatted:
> _______________________________________________
> freebsd-bugs@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
> To unsubscribe, send any mail to "freebsd-bugs-unsubscribe@freebsd.org"
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQE/j33vMONMd70sQ4gRAv9YAJ9Eu9ZfyZgvfvb6Nk/Q/9w3qCRLLgCeOtpH
p4L378ex2kJg4AUKu4W58RI=
=Kg45
-----END PGP SIGNATURE-----



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031017072412.Y39762>