bin/58153: 4.9 default with vulnerable openssh 3.5

Peter Pentchev roam at
Tue Oct 21 23:30:24 PDT 2003

The following reply was made to PR bin/58153; it has been noted by GNATS.

From: Peter Pentchev <roam at>
To: "Jin Guojun [NCS]" <j_guojun at>
Cc: bug-followup at
Subject: Re: bin/58153: 4.9 default with vulnerable openssh 3.5
Date: Wed, 22 Oct 2003 09:25:48 +0300

 Content-Type: text/plain; charset=windows-1251
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 On Tue, Oct 21, 2003 at 11:20:01AM -0700, Jin Guojun [NCS] wrote:
 > Daan van de Linde wrote:
 > > Hash: SHA1
 > >
 > > > >Description:
 > > >       4.9 (current RC2) is still distributing openssh 3.5p1
 > > >       which is a vulnerable version of openssh.
 > > >       For 4.9-RELEASE, this needs to be changed to openssh-3.7p2
 > >
 > > It should be changed to openssh 3.7.1p2.
 > > I vaguely remember that the base-ssh (3.5) was patched for the
 > > vurlnerability's. Can be checked by the freebsd admendum in the
 > > sshd_config.
 > >
 > > - --Daan
 > The 4.9-RC3 still has 3.5p1. It is hard to tell if it is patched.
 > If it is patched, the banner should be changed at least. Otherwise,
 > it is not very useful, because users have no idea if this is secure.
 > Also, the security scan is based on the banner. Once they saw
 > a such old version, they will simply block  connections to 4.9
 > hosts.
 As Daan wrote, you can check whether the server is patched or not by
 examining its version addendum string.  If you take a look at the actual
 FreeBSD security advisories, specifically FreeBSD-SA-03:12 (released on
 September 17th) and FreeBSD-SA-03:15 (released on October 5th), linked
 =66rom the website, you can see that at the end of
 the advisories there are procedures for checking whether the patches
 have been applied, and those procedures specifically check the SSH
 version addendum string ('FreeBSD-20030924' for the last advisory).
 Also, the version addendum string *is* displayed in the banner; any
 scanner software should be able to tell the difference between
 'SSH-1.99-OpenSSH_3.5p1' (the plain vanilla OpenSSH 3.5p1 banner) and
 'SSH-1.99-OpenSSH_3.5p1 FreeBSD-20030924' (the banner displayed by the
 patched OpenSSH server in the RELENG_4 branch - the one in 4.9RC3 and
 the upcoming 4.9RC).  Thus, yes, the SSH server's banner does indeed
 give sufficient indication that the SSH vulnerabilities have been
 Peter Pentchev	roam at    roam at    roam at
 PGP key:
 Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
 What would this sentence be like if pi were 3?
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 Version: GnuPG v1.2.3 (FreeBSD)

More information about the freebsd-bugs mailing list