From owner-freebsd-security Fri Mar 16 4:45: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id DCC9037B718 for ; Fri, 16 Mar 2001 04:44:57 -0800 (PST) (envelope-from roam@orbitel.bg) Received: (qmail 22337 invoked by uid 1000); 16 Mar 2001 12:44:17 -0000 Date: Fri, 16 Mar 2001 14:44:17 +0200 From: Peter Pentchev To: Shoichi Sakane Cc: kris@obsecurity.org, freebsd-security@FreeBSD.ORG Subject: Re: What's vunerable? Message-ID: <20010316144417.A22302@ringworld.oblivion.bg> Mail-Followup-To: Shoichi Sakane , kris@obsecurity.org, freebsd-security@FreeBSD.ORG References: <20010316014004.A86953@mollari.cthul.hu> <20010316192556Q.sakane@ydc.co.jp> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010316192556Q.sakane@ydc.co.jp>; from sakane@ydc.co.jp on Fri, Mar 16, 2001 at 07:25:56PM +0900 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Mar 16, 2001 at 07:25:56PM +0900, Shoichi Sakane wrote: > > > What I really need to know is what vulnerabilities exist on each box - > > > so that I can present the boss with a risk assessment, and make him > > > decide if the box stays as is, or gets a make world. > > > Read the advisories. > > why don't the maintener of the ports of openssh make upgrade its version ? > current version of the ports is openssh 2.2.0 which has some vulnerability. The version of OpenSSH in the ports tree is not plain 2.2.0, but 2.2.0 'port revision' 2. The 'port revision' was bumped twice to indicate important security fixes. The 'some vulnerability' you are referring to is probably the Bleichenbacher attack, which affected nearly all SSH servers at the time; a fix was prompty added to the FreeBSD port. G'luck, Peter -- If I had finished this sentence, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message