Date: Wed, 26 Jun 2002 01:35:57 -0700 From: Dave Hayes <dave@jetcafe.org> To: Brett Glass <brett@lariat.org> Cc: security@FreeBSD.ORG Subject: Re: Binary upgrade available Message-ID: <200206260836.g5Q8a2090546@hokkshideh2.jetcafe.org>
next in thread | raw e-mail | index | archive | help
Some of us use the openssh port because openssh is a moving target. I noticed the port is updated to 3.3, and found this in the CVS logs: Revision 1.99 / (download) - annotate - [select for diffs], Mon Jun 24 22:57:12 2002 UTC (33 hours, 35 minutes ago) by dinoex Branch: MAIN Changes since 1.98: +15 -8 lines Diff to previous 1.98 (colored) Enable privilege separation as default, create user and home if it not exists. So unless I'm missing something, people who track the ports tree and install openssh from it can use the latest port, turn privsep on, and they are now considered immune from this particular exploit. Anyone see a flaw in that logic? ------ Dave Hayes - Consultant - Altadena CA, USA - dave@jetcafe.org >>> The opinions expressed above are entirely my own <<< It is your attachment to objects which makes you blind and deaf. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206260836.g5Q8a2090546>