bin/58153: 4.9 default with vulnerable openssh 3.5

[Peter Pentchev]

The following reply was made to PR bin/58153; it has been noted by GNATS.

From: Peter Pentchev <roam at ringlet.net>
To: "Jin Guojun [NCS]" <j_guojun at lbl.gov>
Cc: bug-followup at freebsd.org
Subject: Re: bin/58153: 4.9 default with vulnerable openssh 3.5
Date: Wed, 22 Oct 2003 09:25:48 +0300

 --tjCHc7DPkfUGtrlw
 Content-Type: text/plain; charset=windows-1251
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Tue, Oct 21, 2003 at 11:20:01AM -0700, Jin Guojun [NCS] wrote:
 > Daan van de Linde wrote:
 >=20
 > > -----BEGIN PGP SIGNED MESSAGE-----
 > > Hash: SHA1
 > >
 > > > >Description:
 > > >       4.9 (current RC2) is still distributing openssh 3.5p1
 > > >       which is a vulnerable version of openssh.
 > > >       For 4.9-RELEASE, this needs to be changed to openssh-3.7p2
 > >
 > > It should be changed to openssh 3.7.1p2.
 > > I vaguely remember that the base-ssh (3.5) was patched for the
 > > vurlnerability's. Can be checked by the freebsd admendum in the
 > > sshd_config.
 > >
 > > - --Daan
 >=20
 > The 4.9-RC3 still has 3.5p1. It is hard to tell if it is patched.
 > If it is patched, the banner should be changed at least. Otherwise,
 > it is not very useful, because users have no idea if this is secure.
 >=20
 > Also, the security scan is based on the banner. Once they saw
 > a such old version, they will simply block  connections to 4.9
 > hosts.
 
 As Daan wrote, you can check whether the server is patched or not by
 examining its version addendum string.  If you take a look at the actual
 FreeBSD security advisories, specifically FreeBSD-SA-03:12 (released on
 September 17th) and FreeBSD-SA-03:15 (released on October 5th), linked
 =66rom the http://www.FreeBSD.org/ website, you can see that at the end of
 the advisories there are procedures for checking whether the patches
 have been applied, and those procedures specifically check the SSH
 version addendum string ('FreeBSD-20030924' for the last advisory).
 
 Also, the version addendum string *is* displayed in the banner; any
 scanner software should be able to tell the difference between
 'SSH-1.99-OpenSSH_3.5p1' (the plain vanilla OpenSSH 3.5p1 banner) and
 'SSH-1.99-OpenSSH_3.5p1 FreeBSD-20030924' (the banner displayed by the
 patched OpenSSH server in the RELENG_4 branch - the one in 4.9RC3 and
 the upcoming 4.9RC).  Thus, yes, the SSH server's banner does indeed
 give sufficient indication that the SSH vulnerabilities have been
 patched.
 
 G'luck,
 Peter
 
 --=20
 Peter Pentchev	roam at ringlet.net    roam at sbnd.net    roam at FreeBSD.org
 PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
 Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
 What would this sentence be like if pi were 3?
 
 --tjCHc7DPkfUGtrlw
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.3 (FreeBSD)
 
 iD8DBQE/liLr7Ri2jRYZRVMRAlcmAJ9pk2P09h4yCRfnDU1zxeikk6qslQCgtmrU
 4xW65yhFVc1Bxs1V/TuP/so=
 =tQfr
 -----END PGP SIGNATURE-----
 
 --tjCHc7DPkfUGtrlw--