OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Peter Brezny (peterskyrunner.net)
Date: Tue Jul 02 2002 - 10:33:13 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Buki,

    Thanks very much for asuaging my fears.

    I looked through the security list archives for a little while looking for
    some more on the subject, but didn't come up with anything definitive.

    It would be really helpful for the security team to release an official
    notice letting us know that we're not in deep dodo here.

    It's particularly scarry when the advisories out there say there's a
    problem, but it's hard to find specific examples of why it's not a problem
    on freebsd.

    If you have any direct refs you could point me to, that would be great.

    I also need to update my knowledge of acronyms,...what's YMMV stand for?

    Thanks again,

    pb

    Peter Brezny
    Skyrunner.net

    -----Original Message-----
    From: Buki [mailto:devnull.cz]
    Sent: Tuesday, July 02, 2002 10:13 AM
    To: Peter Brezny
    Cc: freebsd-securityFreeBSD.ORG
    Subject: Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in
    Challenge Response

    On Tue, Jul 02, 2002 at 08:47:37AM -0400, Peter Brezny wrote:
    > I've been trying to get clear on whether or not freebsd-stable (4.6-STABLE
    > FreeBSD 4.6-STABLE #0: Sat Jun 29 00:37:13 EDT 2002) has resolved the
    > problem listed in CA-2002-18 from CERT.
    >
    > it doesn't appear so since it's running Openssh_2.9 and
    > http://openssh.org/txt/preauth.adv clearly says that freebsd is
    vulnerable.
    >
    >
    > I _THOUGHT_ i found something on the freebsd site stating that OpenSSH_2.9
    > FreeBSD localisations 20020307 was not vulnerable, however, I can't find
    it
    > now.
    >
    > Since there doesn't appear to be a security advisory or notice from the
    > freebsd security team on this one yet, what's the best thing to do?

    the Best Thing(tm) is to stay calm :)

    >
    > Manually update to openssh 3.4? Is an update to the base system in the
    > works?
    >

    you may either manually upgrade to OpenSSH 3.4
    (/usr/ports/security/openssh-portable)
    or stick with base OpenSSH 2.9 localisation 20020307 as it is secure as many
    people on this list said before. But YMMV.

    > TIA
    >
    >
    > Peter Brezny
    > Skyrunner.net
    >
    >
    >
    >
    > To Unsubscribe: send mail to majordomoFreeBSD.org
    > with "unsubscribe freebsd-security" in the body of the message

    Buki 

    --
PGP public key: http://dev.null.cz/buki.asc

    		/"\
		\ /     ASCII Ribbon Campaign
		 X      Against HTML & Outlook Mail
		/ \     http://www.thebackrow.net

    To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message