Question about "FreeBSD Security Advisory FreeBSD-SA-13:14.openssh"
Paul Hoffman
phoffman at proper.com
Tue Nov 19 16:14:38 UTC 2013
On Nov 19, 2013, at 7:54 AM, Darren Pilgrim <list_freebsd at bluerosetech.com> wrote:
> On 11/19/2013 7:44 AM, Paul Hoffman wrote:
>> Greetings again. Why does this announcement only apply to:
>>
>>> Affects: FreeBSD 10.0-BETA
>>
>> That might be the only version where aes128-gcm and aes256-gcm are in
>> the defaults, but other versions of FreeBSD allow you to specify
>> cipher lists in /etc/ssh/sshd_config. I would think that you would
>> need to update all systems running OpenSSH 6.2 and 6.3, according to
>> the CVE. FWIW, when I did a freebsd-update on my 9.2-RELEASE system,
>> sshd (6.2) was not updated.
>
> The other requirement for being vulnerable is OpenSSH must be compiled with TLS 1.2 support (i.e., linked to OpenSSL v1.0.1 or later). FreeBSD 9.2 only has OpenSSL 0.9.8.y.
Very clear explanation, thanks! (I note that this wasn't even hinted at in the CVE...)
--Paul Hoffman
More information about the freebsd-security
mailing list