Date: Tue, 13 Feb 2001 22:20:59 -0500 (EST) From: Igor Roshchin <str@giganda.komkon.org> To: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:24.ssh Message-ID: <200102140320.WAA59845@giganda.komkon.org>
next in thread | raw e-mail | index | archive | help
> Date: Mon, 12 Feb 2001 16:38:34 -0800 (PST) > From: FreeBSD Security Advisories <security-advisories@FreeBSD.ORG> > Subject: FreeBSD Security Advisory FreeBSD-SA-01:24.ssh > > > ============================================================================= > FreeBSD-SA-01:24 Security Advisory > FreeBSD, Inc. > > Topic: SSH1 implementations may allow remote system, data compromise > > Category: core/ports > Module: openssh, ssh > Announced: 2001-02-12 > Credits: Michal Zalewski <lcamtuf@razor.bindview.com> (Vulnerability 1) > Core-SDI (http://www.core-sdi.com) (Vulnerability 2) > Affects: FreeBSD 4.x, 4.2-STABLE prior to the correction date > Ports collection prior to the correction date. > <..> > > OpenSSH is installed if you chose to install the 'crypto' distribution > at install-time or when compiling from source, and is installed and > enabled by default as of FreeBSD 4.1.1-RELEASE. By default SSH1 > protocol support is enabled. Excuse me pointing to a similar point in the last few advisories, but , again, for some reason earlier releases 4.0 and 4.1 are forgotten. While the advisory includes those releases in the list of vulnerable systems, the paragraph quoted above tells that OpenSSH is install as of FreeBSD 4.1.1-RELEASE. However, I see that 4.0-RELEASE had OpenSSH-1.2.2 and it is, according to the quote below is vulnerable. > > Versions of the OpenSSH port prior to openssh-2.2.0_2, and versions > of the ssh port prior to ssh-1.2.27_3 are vulnerable to these attacks. > > V. Solution > > - --[OpenSSH - base system]----- > > One of the following: > <..> > > 2) Download the patch and detached PGP signature from the following > location: > > The following patch applies to FreeBSD 4.2-RELEASE. > > # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24/sshd-4.2-release.patch > # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24/sshd-4.2-release.patch.asc > While this patch complained about the absence of sshconnect1.c, if one provides it with the response to patch sshconnect.c instead, it seems to apply the patches and compile just fine. So, may be that should be taken into account, and a separate patch should be issued for OpenSSH-pre-2.x ? The advisory also might need to be corrected to address 4.0-R and 4.1-R releases. Regards, Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102140320.WAA59845>