From owner-freebsd-security@freebsd.org Fri Nov 4 17:08:09 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 20C45C303FC for ; Fri, 4 Nov 2016 17:08:09 +0000 (UTC) (envelope-from delphij@gmail.com) Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A8ECDDCA for ; Fri, 4 Nov 2016 17:08:08 +0000 (UTC) (envelope-from delphij@gmail.com) Received: by mail-wm0-x22b.google.com with SMTP id f82so3442504wmf.1 for ; Fri, 04 Nov 2016 10:08:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=cNenZ3NNeuXhhUKYNRe2gtDJATsLM+15HfhriklaamQ=; b=bftl3jVv5ABeP2whqfk66PMQStX6LbBzrcxxE2tr71HeihfiwRtk5u8EuRXktmXIkm NUtrcJMXbOCBtx2X9iywaFZg6dUisL+v+UggmR3TdAC9U05eO7qyEZDGjRKjvYJEORrj br/yA94A/Ef/OmcVL6SHC9E84vJ/u3wcUypPoKwqwCdXXDTDgciRL7o3q63Q/t+q3i9l 0YWTxKLlsolykx2tIuIidE9xhYHKPZn1Wblez1e0n6i9NuT0p2VLUDyZvUR+M/hhtf2D IOHDleeH0PAI3HzZGvJHzOofsjrRxEowUKcSBM6Dwq6vpUMTIblxOTrn1xhImfvmk33q BsBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=cNenZ3NNeuXhhUKYNRe2gtDJATsLM+15HfhriklaamQ=; b=clJtlIRv2vwQWrGHhvNbuB4P3wRnUJP5jP7DMAxhkqziE7fe90N0DkXAiMHQyuQAV9 E3CoYQU0n3xixoS7XVBw8OMewCmBDOVvsGr+cf+52MsoxTefLCFWyUXcIJO36PW4tXrl EGa8D99vtjkl7LWYfQtj2nQC9ReHmT+IEGA+w6DIq9lQVVGmro6Qye2tyOXiYVzxllWK qxoIYAu9OALEeR+gaJplI+rFsciDufawbLSfrIPZjzTHJlle4PU912Ug8v9EZEE2p4xB R0zGaMrGswzTGGKzCPHG/tKNKACgD2SH/k/M/z2vNgqARshCT8Gl+vWtNinrjOUYUxHr MgSw== X-Gm-Message-State: ABUngvfSrvt/2M97s7ZXxlPjkO31/c728u0u16ciJTIs+pQMzhbHpmIf2DAUtU0Bzx3OQ9lu1BODi30MLO8YTQ== X-Received: by 10.28.73.136 with SMTP id w130mr4694891wma.82.1478279286140; Fri, 04 Nov 2016 10:08:06 -0700 (PDT) MIME-Version: 1.0 Received: by 10.80.145.227 with HTTP; Fri, 4 Nov 2016 10:08:05 -0700 (PDT) In-Reply-To: <97DEB29F-E625-4A74-9E1A-BC2A220DCF5A@bwinparty.com> References: <20161102075533.8BBA114B5@freefall.freebsd.org> <201611021357.uA2DvHMW003088@higson.cam.lispworks.com> <24ff198d-9bd2-9842-50d8-8a1d5e2ecf8a@FreeBSD.org> <79b7122f-3b1a-377f-42bf-bd2851c5e6ae@calorieking.com> <97DEB29F-E625-4A74-9E1A-BC2A220DCF5A@bwinparty.com> From: Xin LI Date: Fri, 4 Nov 2016 10:08:05 -0700 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:33.openssh To: Vladimir Terziev Cc: Gregory Orange , "" Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Nov 2016 17:08:09 -0000 The issue was originally reported to us as affecting OpenSSH 6.8+ (reference: RedHat bugtracker https://bugzilla.redhat.com/show_bug.cgi?id=1384860), and therefore 9.3, 10.1 and 10.2 were not believed to be affected, so the "Affects: All supported versions of FreeBSD" was a mistake in the original advisory text. We will investigate if the statement is true and will issue patches for earlier FreeBSD releases, if they are confirmed to be affected. The patch for 10.x can be amended (change "ssh_dispatch_set" to "dispatch_set") to adapt to the earlier releases, by the way. On Fri, Nov 4, 2016 at 2:08 AM, Vladimir Terziev wrote: > Hi, > > if you look at the advisory, it states "Affects: All supported versions of FreeBSD.", while in the "Corrected" section 10.1 & 10.2 are missing. > > They are still supported, so the fix for them must be developed or they must be listed as not affected, if that's the case. > > > Regards, > > Vladimir > > > On Nov 4, 2016, at 11:01 AM, Gregory Orange wrote: > >> On 04/11/16 16:39, Kubilay Kocak wrote: >>> Security advisories should state explicitly when otherwise supported >>> versions are not vulnerable. It's surprising this isn't already the case. >> I disagree. If none of the version I have installed are listed, I don't read the rest of the advisory. Time saved. Listing them in a 'not affected' part of the message would add complexity and parsing for me - less time saved. >> >> Greg. >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"