On Nov 19, 2013, at 7:54 AM, Darren Pilgrim <[email protected]> wrote:
> On 11/19/2013 7:44 AM, Paul Hoffman wrote: >> Greetings again. Why does this announcement only apply to: >> >>> Affects: FreeBSD 10.0-BETA >> >> That might be the only version where aes128-gcm and aes256-gcm are in >> the defaults, but other versions of FreeBSD allow you to specify >> cipher lists in /etc/ssh/sshd_config. I would think that you would >> need to update all systems running OpenSSH 6.2 and 6.3, according to >> the CVE. FWIW, when I did a freebsd-update on my 9.2-RELEASE system, >> sshd (6.2) was not updated. > > The other requirement for being vulnerable is OpenSSH must be compiled with > TLS 1.2 support (i.e., linked to OpenSSL v1.0.1 or later). FreeBSD 9.2 only > has OpenSSL 0.9.8.y. Very clear explanation, thanks! (I note that this wasn't even hinted at in the CVE...) --Paul Hoffman _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
