freebsd 5.2.1 openssh hole

Jason M. Leonard fuzz at ldc.upenn.edu
Mon May 24 13:12:15 PDT 2004 

On Mon, 24 May 2004, Vince Hoffman wrote:

> On Mon, 24 May 2004, Thomas May wrote:
>
> > Hi,
> >
> > i have installed the new version 5.2.1 and the ports collection from
> > yesterday. i have checked the server
> >
> > with nessus and I got a security hole warning.
> >
> > You are running a version of OpenSSH which is older than 3.7.1
> >
> >
> >
> > Versions older than 3.7.1 are vulnerable to a flaw in the buffer management
>
> I think this should be ammended to "Unpatched Versions older than 3.7.1
> are etc etc ..."
>
> it looks like its refering to CERT Advisory CA-2003-24i [1], which effects
> unpatched versions of less than OpenSSH 3.7.1. however this was patched in
> freebsd (base and ports) the same day the advisory came out [2].
> if your worried though, or want the newest version, install ssh from
> ports.
>
> Vince


Also keep in mind that nessus is (at times hilariously) unintelligent.
Think of it like a lockpick gun.  A lockpick gun is a tool that can make
opening a lock easier for an experienced locksmith; it is not a tool
that magically opens locks.  nessus is a tool that can make life easier
for an experienced administrator; it is not a magic all-knowing security
genie.  nessus will give you good advice about where *you should look* to
see if there is a problem; beyond that take its "advice" with a salt lick.


:Fuzz



> >
> > functions which might allow an attacker to execute arbitrary commands on
> > this
> >
> > host.
> >
> >
> >
> > What can I do ? I have installed openssl from the ports tree, but I got the
> > same error.
> >
> >
> >
> >
> >
> >
> >
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.689 / Virus Database: 450 - Release Date: 21.05.2004
> >
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
> >
> [1]http://www.cert.org/advisories/CA-2003-24.html
> [2]ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:12.openssh.asc
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>

More information about the freebsd-questions mailing list