Re: openssh in 4.9
On Thu, Oct 30, 2003 at 10:22:06AM -0800, Kris Kennaway wrote: Please read the security advisory. I've read the advisory. It states a couple of workarounds (which I enabled at the time anyway) and also states that the problem is rectified in -STABLE beyond a certain date. However, looking at the openssh advisory's, the only fix is to be running a version 3.7.1p1 or later. So I'm confused. Have the FreeBSD team backported these fixes into 3.5.1 ? One of my problems is that some of my clients occasionally have 3rd parties perform penetration testing on our servers. I need an explanation for when the 3rd party comes back and says that I am running a vulnerable ssh. Regards, -- Wayne Pascoe Everything to excess. To enjoy the flavour of life, take big bites. Moderation is for monks. - Robert Heinlein ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: openssh in 4.9
On Fri, Oct 31, 2003 at 08:55:15AM +, Wayne Pascoe wrote: On Thu, Oct 30, 2003 at 10:22:06AM -0800, Kris Kennaway wrote: Please read the security advisory. I've read the advisory. It states a couple of workarounds (which I enabled at the time anyway) and also states that the problem is rectified in -STABLE beyond a certain date. However, looking at the openssh advisory's, the only fix is to be running a version 3.7.1p1 or later. So I'm confused. Have the FreeBSD team backported these fixes into 3.5.1 ? Yes, that's why the FreeBSD advisory says the problem was rectified in -STABLE beyond a certain date ;-) One of my problems is that some of my clients occasionally have 3rd parties perform penetration testing on our servers. I need an explanation for when the 3rd party comes back and says that I am running a vulnerable ssh. Compare the version string to an unpatched openssh version...they are not the same. Kris pgp0.pgp Description: PGP signature
Re: openssh in 4.9
On Thu, Oct 30, 2003 at 02:19:26PM +, Wayne Pascoe wrote: Hi all, I just upgraded 2 servers to 4.9. On both of them, since the upgrade, ssh's version is being reported as -bash-2.05b$ ssh -V OpenSSH_3.5p1 FreeBSD-20030924, SSH protocols 1.5/2.0, OpenSSL 0x0090703f I thought that anything prior to 3.7p1 was vulnerable ? Is this the correct version that I should be expecting, or do I have a problem ? Please read the security advisory. Kris pgp0.pgp Description: PGP signature