On Wed, Sep 17, 2003 at 08:42:39PM -0500, McClain Looney wrote: > Hello, > > I followed the instructions to patch my sshd for SA03:12, only to find my > version string still doesn't match the one in the advisory. > > Am I correct in assuming it should read OpenSSH_3.5p1 FreeBSD-20030917 ? > > It currently reads SSH-1.99-OpenSSH_3.5p1 FreeBSD-20030201. What could be > causing this? Is a make clean required before the depend?
The patches (eg. ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch) as described in the advisory are intended to be the minimum required in order to fix the vulnerability. That's done so that the same patches can be applied to as many different versions of FreeBSD as possible. Consequently, they don't modify the version numbers either in the $FreeBSD$ CVS tags or of OpenSSH it self (in src/crypto/openssh/version.h). You can tell that just be a simple eyeball inspection of the patch. This is generally the case with security advisories, as a) it's part of the modu operandi of the x.y-RELEASE branches and b) time being of the essence, the smaller the number of patches that have to be developed and tested, the better. However, it's not an absolute rule: some security advisories have resulted in version number bumps on some of the branches. If you want to pull down sources with all of the latest version numbers, use cvsup(1), ie. Option 1) in the Solution section of the advisory. However, you probably have succeeded in patching your system and are now not vulnerable, although there's no way to tell that remotely other than by trying to exploit the bug. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK
Description: PGP signature