From owner-freebsd-security Wed Jun 26 1:36:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from hokkshideh2.jetcafe.org (hokkshideh2.jetcafe.org [205.147.43.8]) by hub.freebsd.org (Postfix) with ESMTP id B4C8937B401 for ; Wed, 26 Jun 2002 01:36:39 -0700 (PDT) Received: from hokkshideh2.jetcafe.org (localhost [127.0.0.1]) by hokkshideh2.jetcafe.org (8.11.6/8.11.6) with ESMTP id g5Q8a2090546; Wed, 26 Jun 2002 01:36:02 -0700 (PDT) (envelope-from dave@hokkshideh2.jetcafe.org) Message-Id: <200206260836.g5Q8a2090546@hokkshideh2.jetcafe.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Binary upgrade available Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 26 Jun 2002 01:35:57 -0700 From: Dave Hayes Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Some of us use the openssh port because openssh is a moving target. I noticed the port is updated to 3.3, and found this in the CVS logs: Revision 1.99 / (download) - annotate - [select for diffs], Mon Jun 24 22:57:12 2002 UTC (33 hours, 35 minutes ago) by dinoex Branch: MAIN Changes since 1.98: +15 -8 lines Diff to previous 1.98 (colored) Enable privilege separation as default, create user and home if it not exists. So unless I'm missing something, people who track the ports tree and install openssh from it can use the latest port, turn privsep on, and they are now considered immune from this particular exploit. Anyone see a flaw in that logic? ------ Dave Hayes - Consultant - Altadena CA, USA - dave@jetcafe.org >>> The opinions expressed above are entirely my own <<< It is your attachment to objects which makes you blind and deaf. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message