Date: Sat, 04 Oct 2003 22:04:11 +0100 From: Colin Percival <colin.percival@wadham.ox.ac.uk> To: "Greenshaw, Steve" <s.greenshaw@ucsm.ac.uk> Cc: freebsd-security@freebsd.org Subject: Re: Security Fix Confusion Message-ID: <5.0.2.1.1.20031004215727.0301e590@popserver.sfu.ca> In-Reply-To: <911E4B4A51A3D3119DD600508B44B4A40840C4@ammail.ucsm.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
At 21:27 04/10/2003 +0100, you wrote: >I'm wondering if anybody could enlighten me about the effect of tracking >RELENG? Assuming you mean RELENG_x_y: You'll get critical security fixes for that release, for as long as that release is supported. >However, a '/usr/sbin/sshd -\?' shows the version of OpenSSH running as >being OpenSSH_3.4p1. If it reports "sshd version OpenSSH_3.4p1 FreeBSD-20030924", you're safe. The "FreeBSD-20030924" means that it includes the latest fixes (incorporated by des@ on September 24th, part of SA-03:15). > Scanning the box with Nessus warns of the security hole >associated with versions of OpenSSH prior to 3.7.1p2 and warned about in >SA-03:12 > >So, ms question is, am I actually covered by 4.7-RELEASE-p21 and Nessus is >giving a false positive, or am I still potentially vulnerable? Looks like a false positive to me. Colin Percival
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.0.2.1.1.20031004215727.0301e590>