Date: Wed, 14 Feb 2001 12:52:01 -0700 (MST) From: Nate Williams <nate@yogotech.com> To: Kris Kennaway <kris@obsecurity.org> Cc: Igor Roshchin <str@giganda.komkon.org>, security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:24.ssh Message-ID: <14986.57825.251227.67134@nomad.yogotech.com> In-Reply-To: <20010213193348.C61478@mollari.cthul.hu> References: <200102140320.WAA59845@giganda.komkon.org> <20010213193348.C61478@mollari.cthul.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > OpenSSH is installed if you chose to install the 'crypto' distribution > > > at install-time or when compiling from source, and is installed and > > > enabled by default as of FreeBSD 4.1.1-RELEASE. By default SSH1 > > > protocol support is enabled. > > > > Excuse me pointing to a similar point in the last few advisories, > > but , again, for some reason earlier releases 4.0 and 4.1 are forgotten. > > While the advisory includes those releases in the list > > of vulnerable systems, the paragraph quoted above tells that > > OpenSSH is install as of FreeBSD 4.1.1-RELEASE. > > However, I see that 4.0-RELEASE had OpenSSH-1.2.2 > > and it is, according to the quote below is vulnerable. > > If you look at http://www.freebsd.org/security we only claim to > provide security support for the most recent version of FreeBSD > (4.2-RELEASE) and after. I agree that 'support' is one thing, but at least mentioning which releases are effected by this bug would be good. Most of the other vendors list all of their 'effected' releases as being effected or not, and since most of the deployed FreeBSD systems are *NOT* running 4.2R, this is of great benefit to the users. The BIND/NAMED was an example of explaining how to determine if the system was vulnerable. The OpenSSH was an example of a advisory that was not as helpful. Other information that would have been useful is a mention of whether the 'ssh1/ssh2' ports (www.ssh.org) in FreeBSD are vulnerable, etc... Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14986.57825.251227.67134>