From owner-freebsd-bugs@FreeBSD.ORG Thu Oct 16 22:28:19 2003 Return-Path: Delivered-To: freebsd-bugs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6877D16A4B3 for ; Thu, 16 Oct 2003 22:28:19 -0700 (PDT) Received: from smtpzilla5.xs4all.nl (smtpzilla5.xs4all.nl [194.109.127.141]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C93643F85 for ; Thu, 16 Oct 2003 22:28:18 -0700 (PDT) (envelope-from daan@xs4all.nl) Received: from unit (unit.xs4all.nl [194.109.249.60]) by smtpzilla5.xs4all.nl (8.12.9/8.12.9) with ESMTP id h9H5SG3u017353; Fri, 17 Oct 2003 07:28:16 +0200 (CEST) Date: Fri, 17 Oct 2003 07:28:11 +0200 (CEST) From: Daan van de Linde To: j_guojun@lbl.gov In-Reply-To: <200310162336.h9GNafBv000304@hal.ee.lbl.gov> Message-ID: <20031017072412.Y39762@unit.xs4all.nl> References: <200310162336.h9GNafBv000304@hal.ee.lbl.gov> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-bugs@freebsd.org Subject: Re: bin/58153: 4.9 default with vulnerable openssh 3.5 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Oct 2003 05:28:19 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > >Description: > 4.9 (current RC2) is still distributing openssh 3.5p1 > which is a vulnerable version of openssh. > For 4.9-RELEASE, this needs to be changed to openssh-3.7p2 It should be changed to openssh 3.7.1p2. I vaguely remember that the base-ssh (3.5) was patched for the vurlnerability's. Can be checked by the freebsd admendum in the sshd_config. - --Daan - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.2.3 (FreeBSD) mQGiBD4haTgRBACJBq2GZjEe5xL8joJgJPvBECCg/vT9dzLrzbgvbqf2n/OqH3pU wd5nyHlOxg0cyiOuSjzlrR7JqA/p7yEbHamHWpUHl+pAjbBZn56IftLjYggV/HE+ yjFaT6SiC6DTm5gE8WQjoJBKKJQvYAqSotQWNe53vxpzNffOqqmNeHs46wCgh9xN Iq6xH0NA7QJIfNYzpzGQtpMD/3CE5Aa29vXbkv6iJYecveCDV0r14M4dgmXGx0qa O3uGTWOEpSJnfVG00g+siGNt8M4lJQGvUKFZabdYd/1z6Kpel8lU1yC2UCGQl2tr Y/0a8oHEt44o252ItUITI++5tmw2FcIyeKNsbcU8y6f3Y58sj+RD2GgYhz+T2RrW jJyBA/9zDmR+OJ5scnfFtpe1YVFhW38boCyo7ljQ29gJV72jTVW4BVYWPiSjKNHX 2ygN2mJnNk/pUsMa06rtJfCtIe38RrjQueA4tHCVx++TuvBmuoKwc034vLQTxrJc 9dRQu2Lk+F0lYrGC38qcxVbKfR9gXZqpoVlqQUDC8OqK2L+inrQiRGFhbiB2YW4g ZGUgTGluZGUgPGRhYW5AeHM0YWxsLm5sPohfBBMRAgAfBQI+IWk4BQkB0WGABAsH AwIDFQIDAxYCAQIeAQIXgAAKCRAw40x3vSxDiEfSAJ9K/V9u2FD+k0YOwMOlEJFR kv6mvwCePckXgGoBkNEueu0aBc2isyvyJPK5BA0EPiFq5RAQAJ0CCK4MtCij+9kv A8D7FiTc0u5QRkyEF5Kl+MWMHXJ36plMQWUYkBpKVCozF8YcYDJZq3LooDlRnmiq VqCZtar8eGaYJ6U4jNY9NPkJHVcPfDoheCns0v+YGmMym5ghjjQZSnDf+i7pRn6K dlo8i+NpRssi7DoNRvL+DSoyuZ6TpvGsY//f8W4b8Gk4ImX6MQOwsr2pgnlmqKeC fhSzdIStITj/uGRZiRJJXm/rruhPPD2aRSD9suo47uCkIou4SJHNBNtoxIzG1iF1 RJ9RkxxesVRGUY5biVhzabHj5llZdZXnJ/khFU2ZLQz5EF1tqz4DoIlYt4UiaKz7 ks2V72zRSn/miq8bmKcdXVCpMdqvAFONLpp8Y5HehkKpfoQbdJzqGK9T2hLdmxDC DMA+BI69oXsZLqOdmydwE5Nqn7LOgf0hYdf4IitfBpoWK71IJdd6Og0qDy7tsION sk9oPU/z4rGas+q5Z3oUquCh9JnR52x7DUC8I2OKwhqnOB3v30D7BrR1d8RC7Iiz IXOWitC+3y6wREiWW4MwbpXbQ5cVFptyBfUKaTZpciYKBhWtgzdk803BHgz79fUh RWmYzB+/NadOWTXBBAbxagWCPS5PrzPpiwos3RJcmuvG8x5gv8KJ4NE5BNaoUh36 irCegujuCRBhpRdX70PDMHQAfVPXAAMFEACMywcQ4IgW/ioussh9BMm9dMNVGPA4 cHyU1cWDViDUUr31nBZ+FfFRg1OHZUueM25o/K66pkmvfWo0mhhK3MFKEvO0JrMk l9t/9HqO9NEX6mRpYhi1ZHe9rTi0mzrkSZyOVZSnQzumKFcSvhHHT45M+TOvt7eE KR1O+R007PIJa1sVKzEjqANlWJTSgc+gN3VKCNZl/Xp7Wous53Z0M6VKUqnMzYea MgeB/p0BgKPRAOWq/BBQFZHq2xPqJRJiAdXpy89RLdyLnhghsJkA73pWstseBZnA GP2on44uFkGT4nj2CvtlWEbMcEBMwL2NvtMo+9u1UGIq+j9QcGdg2VDZgOm7tK8k 6FOyJzBSn9X2yQT7tHWhEDP4mHc0BYJ42cCGIBh7/XmASielK3uQP5w4UJpIYiCh AjHeg93VZgg8rlNcRTEIkksgrOZ3M80K7GWrMWpfjLeSS3fxMvWeund9+L4Ngq6J UolLvNA4HfQDj1MMw61g9fnFQPYT/P5inD16Bk0OEAtrpEiUubzEbHgZkIawWiAV +UUB5v16DfaXQAiPyyQ0USjnOfNP6Yqf+ofzvaafF1m/icmzxfmdPkwL8VIcpQdp 1O4yZCO14s7RVU1Jovf0omO9r6CIZJGBBFAs4wKodeaVj13Kc39wERqHOkcETSb8 4JejNgf3u75YAohMBBgRAgAMBQI+IWrlBQkB0WGAAAoJEDDjTHe9LEOIQY4An19Q 3sVkTTp/QFk0wj+9qeCfkpAVAKCA2nkRRFDVgytNfrxAEnY0v7q2JQ== =y3KW - -----END PGP PUBLIC KEY BLOCK----- On Thu, 16 Oct 2003, Charlie & wrote: > Date: Thu, 16 Oct 2003 23:36:41 GMT > From: Charlie & > Reply-To: j_guojun@lbl.gov > To: FreeBSD-gnats-submit@freebsd.org > Subject: {Scanned} bin/58153: 4.9 default with vulnerable openssh 3.5 > Resent-Date: Thu, 16 Oct 2003 16:40:16 -0700 (PDT) > Resent-From: FreeBSD-gnats-submit@freebsd.org (GNATS Filer) > Resent-To: freebsd-bugs@freebsd.org > > > >Number: 58153 > >Category: bin > >Synopsis: 4.9 default with vulnerable openssh 3.5 > >Confidential: no > >Severity: serious > >Priority: high > >Responsible: freebsd-bugs > >State: open > >Quarter: > >Keywords: > >Date-Required: > >Class: change-request > >Submitter-Id: current-users > >Arrival-Date: Thu Oct 16 16:40:16 PDT 2003 > >Closed-Date: > >Last-Modified: > >Originator: Charlie & > >Release: FreeBSD 4.9-RC2 i386 > >Organization: > >Environment: > System: FreeBSD testing4.9.lbl.gov 4.9-RC2 FreeBSD 4.9-RC2 #0: Wed Oct 8 07:44:57 GMT 2003 root@freebsd-stable.sentex.ca:/usr/obj/usr/src/sys/GENERIC i386 > > > FreeBSD 4.9 only > > >Description: > 4.9 (current RC2) is still distributing openssh 3.5p1 > which is a vulnerable version of openssh. > For 4.9-RELEASE, this needs to be changed to openssh-3.7p2 > > >How-To-Repeat: > > >Fix: > > build openssh-3.7p2 for formal 4.9-RELEASE > >Release-Note: > >Audit-Trail: > >Unformatted: > _______________________________________________ > freebsd-bugs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-bugs > To unsubscribe, send any mail to "freebsd-bugs-unsubscribe@freebsd.org" > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/j33vMONMd70sQ4gRAv9YAJ9Eu9ZfyZgvfvb6Nk/Q/9w3qCRLLgCeOtpH p4L378ex2kJg4AUKu4W58RI= =Kg45 -----END PGP SIGNATURE-----