Security Fix Confusion
    Colin Percival 
    colin.percival at wadham.ox.ac.uk
       
    Sat Oct  4 14:04:20 PDT 2003
    
    
  
At 21:27 04/10/2003 +0100, you wrote:
>I'm wondering if anybody could enlighten me about the effect of tracking
>RELENG?
   Assuming you mean RELENG_x_y: You'll get critical security fixes for 
that release, for as long as that release is supported.
>However, a '/usr/sbin/sshd -\?' shows the version of OpenSSH running as
>being OpenSSH_3.4p1.
   If it reports "sshd version OpenSSH_3.4p1 FreeBSD-20030924", you're 
safe.  The "FreeBSD-20030924" means that it includes the latest fixes 
(incorporated by des@ on September 24th, part of SA-03:15).
>  Scanning the box with Nessus warns of the security hole
>associated with versions of OpenSSH prior to 3.7.1p2 and warned about in
>SA-03:12
>
>So, ms question is, am I actually covered by 4.7-RELEASE-p21 and Nessus is
>giving a false positive, or am I still potentially vulnerable?
   Looks like a false positive to me.
Colin Percival
    
    
More information about the freebsd-security
mailing list