From owner-freebsd-security  Mon Jun 24 15:19: 0 2002
Delivered-To: freebsd-security@freebsd.org
Received: from cithaeron.argolis.org (pool-138-88-108-190.res.east.verizon.net [138.88.108.190])
	by hub.freebsd.org (Postfix) with ESMTP id 3473C37B400
	for <freebsd-security@FreeBSD.ORG>; Mon, 24 Jun 2002 15:18:39 -0700 (PDT)
Received: from cithaeron.argolis.org (localhost [127.0.0.1])
	by cithaeron.argolis.org (8.12.3/8.12.3) with ESMTP id g5OMIYIK000566;
	Mon, 24 Jun 2002 18:18:34 -0400 (EDT)
	(envelope-from piechota@argolis.org)
Received: from localhost (piechota@localhost)
	by cithaeron.argolis.org (8.12.3/8.12.3/Submit) with ESMTP id g5OMIYhL000563;
	Mon, 24 Jun 2002 18:18:34 -0400 (EDT)
X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs
Date: Mon, 24 Jun 2002 18:18:33 -0400 (EDT)
From: Matt Piechota <piechota@argolis.org>
To: Jason DiCioccio <geniusj+categories.replies@bluenugget.net>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd)
In-Reply-To: <2147483647.1024930479@[192.168.4.154]>
Message-ID: <20020624181545.C550-100000@cithaeron.argolis.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Mon, 24 Jun 2002, Jason DiCioccio wrote:

> > OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away.
> > On OpenBSD privsep works flawlessly, and I have reports that is also
> > true on NetBSD.  All other systems appear to have minor or major
> > weaknesses when this code is running.
>
> I know theo did not mention FreeBSD, but does anyone know for sure if
> FreeBSD is one of the platforms with major/minor weaknesses in the privsep
> code?  And if it is major, or minor? ;-)

And better yet, is this a 3.x bug, or does it affect 2.whatever that is in
the base 4.x-STABLE?

Hopefully someone that is 'in' on the bug can give us a hint without
giving away too much before the patch, at least so we can prepare to patch
and rebuild.

Does this reset OpenBSD's 4-years without a root hole? :)

-- 
Matt Piechota


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message