From owner-freebsd-security Wed Jun 26 11:21: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from sm13.texas.rr.com (sm13.texas.rr.com [24.93.35.40]) by hub.freebsd.org (Postfix) with ESMTP id A206137B40E for ; Wed, 26 Jun 2002 11:19:57 -0700 (PDT) Received: from apricot (cs24243228-109.austin.rr.com [24.243.228.109]) by sm13.texas.rr.com (8.12.0.Beta16/8.12.0.Beta16) with SMTP id g5QIYams000941 for ; Wed, 26 Jun 2002 13:34:36 -0500 From: "William Wallace" To: Subject: RE: Users of FreeBSD releases should upgrade OpenSSH too (Was: The "race" that Theo sought to avoid...) Date: Wed, 26 Jun 2002 13:10:50 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <4.3.2.7.2.20020626115517.022108b0@localhost> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sorry for jumping in, but is there a way someone could post a note with the procedure that one needs to go through to update to OpenSSH 3.4? I just cvsup'd my security ports and the Makefiles under openssh and openssh-portable still point to 3.3 (which I'm currently running, after upgrading last night). Thanks, - William. -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Brett Glass Sent: Wednesday, June 26, 2002 1:01 PM To: Bosko Milekic Cc: freebsd-security@FreeBSD.ORG Subject: Users of FreeBSD releases should upgrade OpenSSH too (Was: The "race" that Theo sought to avoid...) At 11:24 AM 6/26/2002, Bosko Milekic wrote: > I think that what you're saying is reasonable, however, I know (now > almost for a fact) that there was an exploit going around already. In that case, the correct thing to do would have been to warn that turning on Privilege Separation was urgent because the bug was being exploited. That way, people who had planned upgrades for the weekend would not have been blindsided. > So, > it's better than the information has been released sooner, than later. > And, since it appears that the OpenSSH that ships with our -STABLE is > not affected, all the easier this is for those of us who were in the > middle of implementing "drastic measures" (for fear of the worst), as > it allows us to step back, relax, and enjoy the fireworks. Don't do that. When the OpenSSH team fixed the bug that ISS found, it also nuked some other bugs. Some of these may have been present in 2.9, and they'll now be obvious to black hats. (Nice, clean, color-coded diffs that can be generated automatically via the CVS Web interface.) So, users of FreeBSD releases (or -STABLE, -CURRENT, or release engineering snapshots) should not rest easy. An upgrade to 3.4 is mandatory for everyone. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message