Date: Tue, 10 Jan 2017 11:04:16 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> To: Xin Li <delphij@delphij.net>, freebsd security <freebsd-security@freebsd.org> Cc: d@delphij.net Subject: Re: VuXML entry for openssh - 10.3 sshd in base vulnerable Message-ID: <5874B1A0.6060403@quip.cz> In-Reply-To: <e6441f50-4f0f-2b6a-6a39-30f1450f2e79@delphij.net> References: <586BA308.8060402@quip.cz> <586FB98F.2050500@quip.cz> <e6441f50-4f0f-2b6a-6a39-30f1450f2e79@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Xin Li wrote on 2017/01/10 08:49: > > > On 1/6/17 07:36, Miroslav Lachman wrote: >> Miroslav Lachman wrote on 2017/01/03 14:11: >>> Security entries for base are in VuXML for some time so we are checking >>> it periodically. Now we have an alert for base sshd in 10.3-p14 and -15 >>> too. >>> >>> # pkg audit FreeBSD-10.3_15 >>> FreeBSD-10.3_15 is vulnerable: >>> openssh -- multiple vulnerabilities >>> CVE: CVE-2016-10010 >>> CVE: CVE-2016-10009 >>> WWW: >>> https://vuxml.FreeBSD.org/freebsd/2aedd15f-ca8b-11e6-a9a5-b499baebfeaf.html >>> >>> >>> 1 problem(s) in the installed packages found. >>> >>> >>> But there is no advisory on >>> https://www.freebsd.org/security/advisories.html for this problem. >>> >>> Is it false alarm? Or did I missed something? >> >> 3 days without reply... >> >> Please, can somebody from FreeBSD team clarify if sshd in base is >> vulnerable or not? > > The default configuration is not affected by CVE-2016-10010 because > privilege separation is enabled by default. > > Exploiting CVE-2016-10009 requires non-trivial control over both a SSH > server and ability to write file on the system running ssh-agent(1). > > We plan to issue an advisory soon, but most of users do not need to be > worried for the vulnerabilities as the sshd(8) vulnerability requires > deliberately weaken the configuration, and it's hard to exploit the > ssh-agent(1) vulnerability (if an attacker is able to exploit it, they > already have substantial control and there would be much easier attacks > than doing it over ssh-agent). > > Hope this helps. Thank you for this clarification. Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5874B1A0.6060403>