Date: Mon, 6 Oct 2003 08:53:32 -0500 From: D J Hawkey Jr <hawkeyd@visi.com> To: "Jacques A. Vidrine" <nectar@FreeBSD.org>, security at FreeBSD <freebsd-security@FreeBSD.org> Subject: Re: 4.6-R (Was: Re: FreeBSD Security Advisory FreeBSD-SA-03:18.openssl) Message-ID: <20031006135332.GA3551@sheol.localdomain> In-Reply-To: <20031006120442.GA77299@madman.celabo.org> References: <200310032249.h93MnXS8047857@freefall.freebsd.org> <20031005142519.GA76750@sheol.localdomain> <20031005163252.GC399@cowbert.2y.net> <20031005171245.GA82807@sheol.localdomain> <20031006120442.GA77299@madman.celabo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Oct 06, at 07:04 AM, Jacques A. Vidrine wrote: > > On Sun, Oct 05, 2003 at 12:12:45PM -0500, D J Hawkey Jr wrote: > > According to a HEADSUP sent out by Jacques, RELENG_4_6 was supported by > > SA-03:15, and the CVS tree updated. RELENG_4_6 was also supported by > > SA-03:18, but I'm not certain if its CVS tree was updated (neither the > > HEADSUP nor the SA explicitly says so, but I'll bet it has been). > > Yes, the SA says so: > > Corrected: [...] 2003-10-03 20:24:59 UTC (RELENG_4_6, 4.6.2-RELEASE-p26) My bad. Thanks. > > I'm not sure if RELENG_4_6 is EOL'd or not (though I think it is). Having > > said that, the Security team does release patches for EOL'd releases as > > they see fit. > > No need to guess. See the table at > <URL: http://www.freebsd.org/security/#adv >. OK, thanks again. I seem to remember this, somewhere in my volatile RAM. > > > I was expecting to be able to manually patch my 4.6 sources > > > and recompile just the crypto/secure subsystems but instead I was forced to > > Manual patching is really only recommended for gurus. Please use > CVSup and report any problems. Your point is well taken, and should be heeded, but I'm not sure about the "gurus" bit. I'm no guru, but I've been patching some EOL'd releases for a while now with little confusion. Having said that, I've been looking over the SA-03:15 patchfile for RELENG_4_6 to see if I must patch a RELENG_4_5 box. My observations: 1) In auth1.c, code is added to remember the last packet before getting the next, in order to free resources if the next isn't what's expected. The base OpenSSH in RELENG_4_5 doesn't allocate any such resources; that patch isn't appropriate. 2) In auth2-pam-freebsd.c, there is a sanity check to see that an alloc'd structure is properly initialized. Due to code style/structure, RELENG_4_5's auth_pam.c doesn't seem to require this, as the structure elements are explicitly set in the case clauses. 3) The default configuration is changed: RhostsRSAAuthentication -> no, StrictHostKeyChecking -> ask, Cipher -> 3des, and Ciphers -> ... . The first two explain why the SA omits RELENG_4_5. However, my corresponding question is: 3) Why the changes? Should RELENG_4_5's configuration also be changed? This is really the only question I have, as the code doesn't appear to need any attention. And an unrelated question: - What's the BSD_AUTH define for? There doesn't seem to be anything in RELENG_4_5 that activates the #ifdef'd code, and it looks as though it's removed in RELENG_4_6. Thanks, Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031006135332.GA3551>