From owner-freebsd-security  Thu Nov 29 21:51:14 2001
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.org (lariat.org [12.23.109.2])
	by hub.freebsd.org (Postfix) with ESMTP id 3C6D637B417
	for <security@FreeBSD.ORG>; Thu, 29 Nov 2001 21:51:11 -0800 (PST)
Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2])
	by lariat.org (8.9.3/8.9.3) with ESMTP id WAA16771;
	Thu, 29 Nov 2001 22:50:48 -0700 (MST)
Message-Id: <4.3.2.7.2.20011129214449.052ded50@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Thu, 29 Nov 2001 21:56:32 -0700
To: Kris Kennaway <kris@obsecurity.org>
From: Brett Glass <brett@lariat.org>
Subject: Re: Lack of evidence for new SSH vulnerability
Cc: "f.johan.beisser" <jan@caustic.org>,
	Mauro Dias <localhost@dsgx.org>, security@FreeBSD.ORG
In-Reply-To: <20011129184521.B66815@xor.obsecurity.org>
References: <4.3.2.7.2.20011129113349.04722900@localhost>
 <4.3.2.7.2.20011128225341.04672880@localhost>
 <4.3.2.7.2.20011128221259.04665720@localhost>
 <20011128214925.P16958-100000@localhost>
 <4.3.2.7.2.20011128225341.04672880@localhost>
 <20011128233947.C53604@xor.obsecurity.org>
 <4.3.2.7.2.20011129113349.04722900@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

At 07:45 PM 11/29/2001, Kris Kennaway wrote:

>Your email described how you upgraded to the latest version of OpenSSH
>because you weren't sure whether the version currently in FreeBSD was
>affected by the vulnerability described in the CERT and Dittrich
>reports.  That indicates you had no clue what was going on since both
>documents quite clearly refer to versions of OpenSSH which were
>included in FreeBSD a year ago, the CERT advisory explicitly
>states when the problem was fixed (a year ago), and links to the
>FreeBSD advisory which also says clearly that we fixed it a year ago.

I knew exactly what was going on, Kris, and think I acted 
appropriately.

The fact that FreeBSD 4.4 (which incorporates 2.3.0) was explicitly 
mentioned in Dittrich's paper, and that the exploit was being talked 
about again after a year's time, raised concerns that perhaps an
exploit for newer versions had been found. Perhaps my upgrades to
3.0.1p1 were unnecessary except on my older machines, but I'm glad 
I did them anyway. I might have clobbered other bugs or security
holes in the process -- and if there ARE new exploits, I'll have
less chance of being hit. Can't be too careful these days; the
disclosure-to-automated-exploit window is getting VERY short.

--Brett


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message