bin/58153: 4.9 default with vulnerable openssh 3.5
Jin Guojun [NCS]
j_guojun at lbl.gov
Tue Oct 21 11:19:59 PDT 2003
Daan van de Linde wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > >Description:
> > 4.9 (current RC2) is still distributing openssh 3.5p1
> > which is a vulnerable version of openssh.
> > For 4.9-RELEASE, this needs to be changed to openssh-3.7p2
>
> It should be changed to openssh 3.7.1p2.
> I vaguely remember that the base-ssh (3.5) was patched for the
> vurlnerability's. Can be checked by the freebsd admendum in the
> sshd_config.
>
> - --Daan
The 4.9-RC3 still has 3.5p1. It is hard to tell if it is patched.
If it is patched, the banner should be changed at least. Otherwise,
it is not very useful, because users have no idea if this is secure.
Also, the security scan is based on the banner. Once they saw
a such old version, they will simply block connections to 4.9
hosts.
-Jin
More information about the freebsd-bugs
mailing list