From owner-freebsd-stable Wed Jun 26 10:40:43 2002 Delivered-To: freebsd-stable@freebsd.org Received: from ratogi.arc.nasa.gov (ratogi.arc.nasa.gov [128.102.196.187]) by hub.freebsd.org (Postfix) with ESMTP id 36C6137B400 for ; Wed, 26 Jun 2002 10:40:30 -0700 (PDT) Received: from ratogi.arc.nasa.gov (localhost [127.0.0.1]) by ratogi.arc.nasa.gov (8.12.3/8.12.3) with ESMTP id g5QHf6Jm043592 for ; Wed, 26 Jun 2002 10:41:06 -0700 (PDT) (envelope-from ratogi@soe.ucsc.edu) Received: from localhost (ratogi@localhost) by ratogi.arc.nasa.gov (8.12.3/8.12.3/Submit) with ESMTP id g5QHf6n2043589 for ; Wed, 26 Jun 2002 10:41:06 -0700 (PDT) (envelope-from ratogi@soe.ucsc.edu) X-Authentication-Warning: ratogi.arc.nasa.gov: ratogi owned process doing -bs Date: Wed, 26 Jun 2002 10:41:06 -0700 (PDT) From: Ray Gilstrap X-X-Sender: ratogi@ratogi.arc.nasa.gov To: freebsd-stable@FreeBSD.ORG Subject: Re: OpenSSH In-Reply-To: <20020626171500.GS1961@beastie.datatrade.off> Message-ID: <20020626103000.B43537-100000@ratogi.arc.nasa.gov> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG here's what i just learned from http://openssh.org/txt/preauth.adv and http://openssh.org/txt/iss.adv: 1. openssh 2.9 and earlier aren't affected. 2. if you are running a vulnerable version, turning off ChallengeResponseAuthentication will also immunize you. 3. openssh 3.4 was released today, containing a fix for this and a check for another "class of potential bugs." ~r To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message