From owner-freebsd-stable  Thu Jul  4 10:59:23 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EB50B37B400
	for <freebsd-stable@FreeBSD.ORG>; Thu,  4 Jul 2002 10:59:19 -0700 (PDT)
Received: from router.drapple.com (12-225-0-33.client.attbi.com [12.225.0.33])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 48AD743E52
	for <freebsd-stable@FreeBSD.ORG>; Thu,  4 Jul 2002 10:59:19 -0700 (PDT)
	(envelope-from mark@work.drapple.com)
Received: from work.drapple.com (work [192.168.1.10])
	by router.drapple.com (8.9.3/8.9.3) with ESMTP id LAA08879;
	Thu, 4 Jul 2002 11:00:41 -0700 (PDT)
	(envelope-from mark@work.drapple.com)
Message-ID: <XFMail.020704105916.mark@work.drapple.com>
X-Mailer: XFMail 1.4.0 on FreeBSD
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
In-Reply-To: <20020704123016.A89510@sheol.localdomain>
Date: Thu, 04 Jul 2002 10:59:16 -0700 (PDT)
From: Mark Hartley <mark@work.drapple.com>
To: D J Hawkey Jr <hawkeyd@visi.com>
Subject: Re: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1
Cc: stable at FreeBSD <freebsd-stable@FreeBSD.ORG>
Cc: stable at FreeBSD <freebsd-stable@FreeBSD.ORG>,
	Christopher Schulte <schulte+freebsd@nospam.schulte.org>
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

On 04-Jul-02 D J Hawkey Jr wrote:
> On Jul 04, at 12:18 PM, Christopher Schulte wrote:
>> 
>> At 11:59 AM 7/4/2002 -0500, D J Hawkey Jr wrote:
>> >Once the dust has settled, will the recent changes in 4.6-STABLE be MFC'd
>> >to 4.6-RELEASE:
>> >
>> >   - OpenSSH 3.4p1
>> 
>> I don't think so.
>> 
>>  >At this time, OpenSSH 3.4 will not be merged into the security
>>  >branches.  They are currently not vulnerable, and major upgrades are
>>  >outside the scope of the security branches, particularly when such
>>  >upgrades are practically guaranteed to break existing installations.
> 
> But, but... But 4.6-RELEASE is vulnerable, as I understand it, and OpenSSH
> has to be considered within scope, no?
> 

The OpenSSH in 4.6-RELEASE is NOT vulnerable to the recent ssh hole.  This has
been stated several times (though maybe not on the -stable list).  See this
link for more details:

http://docs.freebsd.org/cgi/getmsg.cgi?fetch=468648+0+current/freebsd-security


Mark.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message