Date: Mon, 9 Jan 2017 23:49:21 -0800 From: Xin Li <delphij@delphij.net> To: Miroslav Lachman <000.fbsd@quip.cz>, freebsd security <freebsd-security@freebsd.org> Cc: d@delphij.net Subject: Re: VuXML entry for openssh - 10.3 sshd in base vulnerable Message-ID: <e6441f50-4f0f-2b6a-6a39-30f1450f2e79@delphij.net> In-Reply-To: <586FB98F.2050500@quip.cz> References: <586BA308.8060402@quip.cz> <586FB98F.2050500@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --db5qFHIoKt2wcjjn2E82c8Cg8hkxik7PL Content-Type: multipart/mixed; boundary="j6g21x97hq64N5QTmPjgIW0XkSGlffTgl"; protected-headers="v1" From: Xin Li <delphij@delphij.net> To: Miroslav Lachman <000.fbsd@quip.cz>, freebsd security <freebsd-security@freebsd.org> Cc: d@delphij.net Message-ID: <e6441f50-4f0f-2b6a-6a39-30f1450f2e79@delphij.net> Subject: Re: VuXML entry for openssh - 10.3 sshd in base vulnerable References: <586BA308.8060402@quip.cz> <586FB98F.2050500@quip.cz> In-Reply-To: <586FB98F.2050500@quip.cz> --j6g21x97hq64N5QTmPjgIW0XkSGlffTgl Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 1/6/17 07:36, Miroslav Lachman wrote: > Miroslav Lachman wrote on 2017/01/03 14:11: >> Security entries for base are in VuXML for some time so we are checkin= g >> it periodically. Now we have an alert for base sshd in 10.3-p14 and -1= 5 >> too. >> >> # pkg audit FreeBSD-10.3_15 >> FreeBSD-10.3_15 is vulnerable: >> openssh -- multiple vulnerabilities >> CVE: CVE-2016-10010 >> CVE: CVE-2016-10009 >> WWW: >> https://vuxml.FreeBSD.org/freebsd/2aedd15f-ca8b-11e6-a9a5-b499baebfeaf= =2Ehtml >> >> >> 1 problem(s) in the installed packages found. >> >> >> But there is no advisory on >> https://www.freebsd.org/security/advisories.html for this problem. >> >> Is it false alarm? Or did I missed something? >=20 > 3 days without reply... >=20 > Please, can somebody from FreeBSD team clarify if sshd in base is > vulnerable or not? The default configuration is not affected by CVE-2016-10010 because privilege separation is enabled by default. Exploiting CVE-2016-10009 requires non-trivial control over both a SSH server and ability to write file on the system running ssh-agent(1). We plan to issue an advisory soon, but most of users do not need to be worried for the vulnerabilities as the sshd(8) vulnerability requires deliberately weaken the configuration, and it's hard to exploit the ssh-agent(1) vulnerability (if an attacker is able to exploit it, they already have substantial control and there would be much easier attacks than doing it over ssh-agent). Hope this helps. Cheers, --j6g21x97hq64N5QTmPjgIW0XkSGlffTgl-- --db5qFHIoKt2wcjjn2E82c8Cg8hkxik7PL Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYdJIFAAoJEJW2GBstM+nsttkP/iy7/WDfke+DWF3D78NwhXfR jvBUM2kM9/md6PIUo6MTR4zYdyJAek3DhtjLXqG4vk4meV5X0qyz/wUvk48i6XbF SLsgo1CXfrT3aAGvL71SVYnQmsiXUx9544J/9ljwebi2sCIQ014hcDlLC0bEQeoS wIXAF6d6KXIlIwOhn+zTydgG3sLKrgtYzDOedD/50MQAw0+ji5bzE6za6I0ZjRUS yeTez7vDQFYgHENnyo+h3BhyWLOGyOglqe+Nhn5v0H/kTiL5GUcEBNE4x9KKlIAV kB9vnaQF3Co8c6YxZ8OI3EXb1lh/7MGylTQ/56p/4WaHWsLufAcQOdj7QGMCJJs9 XFAgytV0n4yB62nwLCHZeTsptsotKoNW0uu/kzHZU5ULg4lMnZRmBE/EOqpjRCcm kAgwofyYfBO9okhdSGJHZ1RcjHOYwPzZnYHrUt5owoy5Sxk2Mc/DQ1daWn3Xm+SI bmJeKjKlmcCl9pO/55fabprKM4LOtjPIyGXyA0QE119lQzYUzMAoUN95E1hmzbRV Qtq39+QwOIksvPtJSYB+MKzmOGIb0QjNuYr93g/R8ZbVZPKvPwTPjPMB1qUiK6gn 2LjnAEDyzlL3xA++1dMNLeZSvDd30zUzkjWsqHMc6uJYwqPlrA8BRbDSeD9qJBzv 8KtECiuevSlvuRwkbkCs =iIAJ -----END PGP SIGNATURE----- --db5qFHIoKt2wcjjn2E82c8Cg8hkxik7PL--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e6441f50-4f0f-2b6a-6a39-30f1450f2e79>