From owner-freebsd-security  Wed Jun 26 11:44:28 2002
Delivered-To: freebsd-security@freebsd.org
Received: from tesla.distributel.net (nat.MTL.distributel.NET [66.38.181.24])
	by hub.freebsd.org (Postfix) with ESMTP id 2777937B8D4
	for <freebsd-security@FreeBSD.ORG>; Wed, 26 Jun 2002 11:42:45 -0700 (PDT)
Received: (from bmilekic@localhost)
	by tesla.distributel.net (8.11.6/8.11.6) id g5QIdwb43620;
	Wed, 26 Jun 2002 14:39:58 -0400 (EDT)
	(envelope-from bmilekic@unixdaemons.com)
Date: Wed, 26 Jun 2002 14:39:58 -0400
From: Bosko Milekic <bmilekic@unixdaemons.com>
To: Jan Lentfer <Jan.Lentfer@web.de>
Cc: FreeBSD Security Mailling List <freebsd-security@FreeBSD.ORG>
Subject: Re: OpenSSH Security (just a question, please no f-war)
Message-ID: <20020626143958.B43472@unixdaemons.com>
References: <1025116241.2817.2.camel@jan-linux.lan>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <1025116241.2817.2.camel@jan-linux.lan>; from Jan.Lentfer@web.de on Wed, Jun 26, 2002 at 08:30:41PM +0200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


On Wed, Jun 26, 2002 at 08:30:41PM +0200, Jan Lentfer wrote:
> Ok all,
> 
> i somewhat gave up to follow the OpenSSH conversation on the list. I
> have ONE question:

  I totally understand.

> I am now running 3.3p1 on all my boxes (FreeBSD & Linux) with Privilige
> Separation enabled. Is this configuration secure for now or not?
> Do I have to update to 3.4 as soon as it is in ports or can I take a few
> days until everything has settled and calmed a little?

  According to early reports, privsep should help you diminish the
  severity of the problem.  However, since you've already bit the
  bullet, you may as well move on up to 3.4, as that is the official
  version containing the fix.  It should be noted that from our
  interpretation, the version of OpenSSH shipping in -STABLE is /not/
  vulnerable to this attack, so there is less reason to panic.  However,
  just to be sure, if you already have the means and are well under way,
  move on up to 3.4.

> Regards,
> 
> Jan

-- 
Bosko Milekic
bmilekic@unixdaemons.com
bmilekic@FreeBSD.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message