From owner-freebsd-questions@FreeBSD.ORG Mon May 24 12:47:55 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC71316A4CE for ; Mon, 24 May 2004 12:47:55 -0700 (PDT) Received: from unsane.co.uk (unsane.co.uk [82.152.23.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id 12AEF43D3F for ; Mon, 24 May 2004 12:47:55 -0700 (PDT) (envelope-from jhary@unsane.co.uk) Received: from unsane.co.uk (localhost [127.0.0.1]) by unsane.co.uk (8.12.11/8.12.10) with ESMTP id i4OJlXQV063087 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 24 May 2004 20:47:33 +0100 (BST) (envelope-from jhary@unsane.co.uk) Received: from localhost (jhary@localhost) by unsane.co.uk (8.12.11/8.12.10/Submit) with ESMTP id i4OJlXWE063084; Mon, 24 May 2004 20:47:33 +0100 (BST) (envelope-from jhary@unsane.co.uk) Date: Mon, 24 May 2004 20:47:32 +0100 (BST) From: Vince Hoffman To: Thomas May In-Reply-To: <20040524192344.E6DFE43D2D@mx1.FreeBSD.org> Message-ID: <20040524203600.W62977@unsane.co.uk> References: <20040524192344.E6DFE43D2D@mx1.FreeBSD.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-questions@freebsd.org Subject: Re: freebsd 5.2.1 openssh hole X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 May 2004 19:47:55 -0000 On Mon, 24 May 2004, Thomas May wrote: > Hi, > > > > i have installed the new version 5.2.1 and the ports collection from > yesterday. i have checked the server > > with nessus and I got a security hole warning. > > > > You are running a version of OpenSSH which is older than 3.7.1 > > > > Versions older than 3.7.1 are vulnerable to a flaw in the buffer management I think this should be ammended to "Unpatched Versions older than 3.7.1 are etc etc ..." it looks like its refering to CERT Advisory CA-2003-24i [1], which effects unpatched versions of less than OpenSSH 3.7.1. however this was patched in freebsd (base and ports) the same day the advisory came out [2]. if your worried though, or want the newest version, install ssh from ports. Vince > > functions which might allow an attacker to execute arbitrary commands on > this > > host. > > > > What can I do ? I have installed openssl from the ports tree, but I got the > same error. > > > > > > > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.689 / Virus Database: 450 - Release Date: 21.05.2004 > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > [1]http://www.cert.org/advisories/CA-2003-24.html [2]ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:12.openssh.asc