bin/58153: 4.9 default with vulnerable openssh 3.5

Jin Guojun [NCS] j_guojun at
Tue Oct 21 11:19:59 PDT 2003

Daan van de Linde wrote:

> Hash: SHA1
> > >Description:
> >       4.9 (current RC2) is still distributing openssh 3.5p1
> >       which is a vulnerable version of openssh.
> >       For 4.9-RELEASE, this needs to be changed to openssh-3.7p2
> It should be changed to openssh 3.7.1p2.
> I vaguely remember that the base-ssh (3.5) was patched for the
> vurlnerability's. Can be checked by the freebsd admendum in the
> sshd_config.
> - --Daan

The 4.9-RC3 still has 3.5p1. It is hard to tell if it is patched.
If it is patched, the banner should be changed at least. Otherwise,
it is not very useful, because users have no idea if this is secure.

Also, the security scan is based on the banner. Once they saw
a such old version, they will simply block  connections to 4.9


More information about the freebsd-bugs mailing list