bin/58153: 4.9 default with vulnerable openssh 3.5
Peter Pentchev
roam at ringlet.net
Tue Oct 21 23:30:24 PDT 2003
The following reply was made to PR bin/58153; it has been noted by GNATS.
From: Peter Pentchev <roam at ringlet.net>
To: "Jin Guojun [NCS]" <j_guojun at lbl.gov>
Cc: bug-followup at freebsd.org
Subject: Re: bin/58153: 4.9 default with vulnerable openssh 3.5
Date: Wed, 22 Oct 2003 09:25:48 +0300
--tjCHc7DPkfUGtrlw
Content-Type: text/plain; charset=windows-1251
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Oct 21, 2003 at 11:20:01AM -0700, Jin Guojun [NCS] wrote:
> Daan van de Linde wrote:
>=20
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > > >Description:
> > > 4.9 (current RC2) is still distributing openssh 3.5p1
> > > which is a vulnerable version of openssh.
> > > For 4.9-RELEASE, this needs to be changed to openssh-3.7p2
> >
> > It should be changed to openssh 3.7.1p2.
> > I vaguely remember that the base-ssh (3.5) was patched for the
> > vurlnerability's. Can be checked by the freebsd admendum in the
> > sshd_config.
> >
> > - --Daan
>=20
> The 4.9-RC3 still has 3.5p1. It is hard to tell if it is patched.
> If it is patched, the banner should be changed at least. Otherwise,
> it is not very useful, because users have no idea if this is secure.
>=20
> Also, the security scan is based on the banner. Once they saw
> a such old version, they will simply block connections to 4.9
> hosts.
As Daan wrote, you can check whether the server is patched or not by
examining its version addendum string. If you take a look at the actual
FreeBSD security advisories, specifically FreeBSD-SA-03:12 (released on
September 17th) and FreeBSD-SA-03:15 (released on October 5th), linked
=66rom the http://www.FreeBSD.org/ website, you can see that at the end of
the advisories there are procedures for checking whether the patches
have been applied, and those procedures specifically check the SSH
version addendum string ('FreeBSD-20030924' for the last advisory).
Also, the version addendum string *is* displayed in the banner; any
scanner software should be able to tell the difference between
'SSH-1.99-OpenSSH_3.5p1' (the plain vanilla OpenSSH 3.5p1 banner) and
'SSH-1.99-OpenSSH_3.5p1 FreeBSD-20030924' (the banner displayed by the
patched OpenSSH server in the RELENG_4 branch - the one in 4.9RC3 and
the upcoming 4.9RC). Thus, yes, the SSH server's banner does indeed
give sufficient indication that the SSH vulnerabilities have been
patched.
G'luck,
Peter
--=20
Peter Pentchev roam at ringlet.net roam at sbnd.net roam at FreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
What would this sentence be like if pi were 3?
--tjCHc7DPkfUGtrlw
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
iD8DBQE/liLr7Ri2jRYZRVMRAlcmAJ9pk2P09h4yCRfnDU1zxeikk6qslQCgtmrU
4xW65yhFVc1Bxs1V/TuP/so=
=tQfr
-----END PGP SIGNATURE-----
--tjCHc7DPkfUGtrlw--
More information about the freebsd-bugs
mailing list