Date: Thu, 29 Nov 2001 21:56:32 -0700 From: Brett Glass <brett@lariat.org> To: Kris Kennaway <kris@obsecurity.org> Cc: "f.johan.beisser" <jan@caustic.org>, Mauro Dias <localhost@dsgx.org>, security@FreeBSD.ORG Subject: Re: Lack of evidence for new SSH vulnerability Message-ID: <4.3.2.7.2.20011129214449.052ded50@localhost> In-Reply-To: <20011129184521.B66815@xor.obsecurity.org> References: <4.3.2.7.2.20011129113349.04722900@localhost> <4.3.2.7.2.20011128225341.04672880@localhost> <4.3.2.7.2.20011128221259.04665720@localhost> <20011128214925.P16958-100000@localhost> <4.3.2.7.2.20011128225341.04672880@localhost> <20011128233947.C53604@xor.obsecurity.org> <4.3.2.7.2.20011129113349.04722900@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
At 07:45 PM 11/29/2001, Kris Kennaway wrote: >Your email described how you upgraded to the latest version of OpenSSH >because you weren't sure whether the version currently in FreeBSD was >affected by the vulnerability described in the CERT and Dittrich >reports. That indicates you had no clue what was going on since both >documents quite clearly refer to versions of OpenSSH which were >included in FreeBSD a year ago, the CERT advisory explicitly >states when the problem was fixed (a year ago), and links to the >FreeBSD advisory which also says clearly that we fixed it a year ago. I knew exactly what was going on, Kris, and think I acted appropriately. The fact that FreeBSD 4.4 (which incorporates 2.3.0) was explicitly mentioned in Dittrich's paper, and that the exploit was being talked about again after a year's time, raised concerns that perhaps an exploit for newer versions had been found. Perhaps my upgrades to 3.0.1p1 were unnecessary except on my older machines, but I'm glad I did them anyway. I might have clobbered other bugs or security holes in the process -- and if there ARE new exploits, I'll have less chance of being hit. Can't be too careful these days; the disclosure-to-automated-exploit window is getting VERY short. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20011129214449.052ded50>