On Wed, Sep 17, 2003 at 08:42:39PM -0500, McClain Looney wrote:
> Hello,
> 
> I followed the instructions to patch my sshd for SA03:12, only to find my 
> version string still doesn't match the one in the advisory.
> 
> Am I correct in assuming it should read OpenSSH_3.5p1 FreeBSD-20030917 ?
> 
> It currently reads SSH-1.99-OpenSSH_3.5p1 FreeBSD-20030201.  What could be 
> causing this? Is a make clean required before the depend?

The patches
(eg. ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch)
as described in the advisory are intended to be the minimum required
in order to fix the vulnerability.  That's done so that the same
patches can be applied to as many different versions of FreeBSD as
possible.  Consequently, they don't modify the version numbers either
in the $FreeBSD$ CVS tags or of OpenSSH it self (in
src/crypto/openssh/version.h).  You can tell that just be a simple
eyeball inspection of the patch.

This is generally the case with security advisories, as a) it's part
of the modu operandi of the x.y-RELEASE branches and b) time being of
the essence, the smaller the number of patches that have to be
developed and tested, the better.  However, it's not an absolute rule:
some security advisories have resulted in version number bumps on some
of the branches.

If you want to pull down sources with all of the latest version
numbers, use cvsup(1),  ie. Option 1) in the Solution section of the
advisory.  However, you probably have succeeded in patching your
system and are now not vulnerable, although there's no way to tell
that remotely other than by trying to exploit the bug.

        Cheers,

        Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

Attachment: pgp00000.pgp
Description: PGP signature

Reply via email to