Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 24 May 2004 20:47:32 +0100 (BST)
From:      Vince Hoffman <jhary@unsane.co.uk>
To:        Thomas May <thomas.may@x9media.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: freebsd 5.2.1 openssh hole
Message-ID:  <20040524203600.W62977@unsane.co.uk>
In-Reply-To: <20040524192344.E6DFE43D2D@mx1.FreeBSD.org>
References:  <20040524192344.E6DFE43D2D@mx1.FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 


On Mon, 24 May 2004, Thomas May wrote:

> Hi,
>
>
>
> i have installed the new version 5.2.1 and the ports collection from
> yesterday. i have checked the server
>
> with nessus and I got a security hole warning.
>
>
>
> You are running a version of OpenSSH which is older than 3.7.1
>
>
>
> Versions older than 3.7.1 are vulnerable to a flaw in the buffer management

I think this should be ammended to "Unpatched Versions older than 3.7.1
are etc etc ..."

it looks like its refering to CERT Advisory CA-2003-24i [1], which effects
unpatched versions of less than OpenSSH 3.7.1. however this was patched in
freebsd (base and ports) the same day the advisory came out [2].
if your worried though, or want the newest version, install ssh from
ports.

Vince
>
> functions which might allow an attacker to execute arbitrary commands on
> this
>
> host.
>
>
>
> What can I do ? I have installed openssl from the ports tree, but I got the
> same error.
>
>
>
>
>
>
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.689 / Virus Database: 450 - Release Date: 21.05.2004
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
>
[1]http://www.cert.org/advisories/CA-2003-24.html
[2]ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:12.openssh.asc

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040524203600.W62977>