Re: Lack of evidence for new SSH vulnerability

From: Brett Glass (brett@lariat.org)
Date: 11/30/01

• Next message: bsd-sec@boneyard.lawrence.ks.us: "Re: sshd exploit"
• Previous message: Gerhard Sittig: "Re: Updating ssh"
• In reply to: Kris Kennaway: "Lack of evidence for new SSH vulnerability"
• Next in thread: ark@eltex.ru: "Re: Lack of evidence for new SSH vulnerability"
• Reply: ark@eltex.ru: "Re: Lack of evidence for new SSH vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 29 Nov 2001 21:56:32 -0700
To: Kris Kennaway <kris@obsecurity.org>
From: Brett Glass <brett@lariat.org>

At 07:45 PM 11/29/2001, Kris Kennaway wrote:

>Your email described how you upgraded to the latest version of OpenSSH
>because you weren't sure whether the version currently in FreeBSD was
>affected by the vulnerability described in the CERT and Dittrich
>reports. That indicates you had no clue what was going on since both
>documents quite clearly refer to versions of OpenSSH which were
>included in FreeBSD a year ago, the CERT advisory explicitly
>states when the problem was fixed (a year ago), and links to the
>FreeBSD advisory which also says clearly that we fixed it a year ago.

I knew exactly what was going on, Kris, and think I acted
appropriately.

The fact that FreeBSD 4.4 (which incorporates 2.3.0) was explicitly
mentioned in Dittrich's paper, and that the exploit was being talked
about again after a year's time, raised concerns that perhaps an
exploit for newer versions had been found. Perhaps my upgrades to
3.0.1p1 were unnecessary except on my older machines, but I'm glad
I did them anyway. I might have clobbered other bugs or security
holes in the process -- and if there ARE new exploits, I'll have
less chance of being hit. Can't be too careful these days; the
disclosure-to-automated-exploit window is getting VERY short.

--Brett

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Next message: bsd-sec@boneyard.lawrence.ks.us: "Re: sshd exploit"
• Previous message: Gerhard Sittig: "Re: Updating ssh"
• In reply to: Kris Kennaway: "Lack of evidence for new SSH vulnerability"
• Next in thread: ark@eltex.ru: "Re: Lack of evidence for new SSH vulnerability"
• Reply: ark@eltex.ru: "Re: Lack of evidence for new SSH vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages FreeBSD Security Advisory FreeBSD-SA-03:15.openssh ... For general information regarding FreeBSD Security Advisories, ... OpenSSH is a free version of the SSH protocol suite of network ... The ssh2 protocol supports a wide range of authentication ... Its challenge / response mechanisms, ... (Bugtraq) [Full-Disclosure] FreeBSD Security Advisory FreeBSD-SA-03:15.openssh ... For general information regarding FreeBSD Security Advisories, ... OpenSSH is a free version of the SSH protocol suite of network ... The ssh2 protocol supports a wide range of authentication ... Its challenge / response mechanisms, ... (Full-Disclosure) FreeBSD Security Advisory FreeBSD-SA-03:15.openssh ... For general information regarding FreeBSD Security Advisories, ... OpenSSH is a free version of the SSH protocol suite of network ... The ssh2 protocol supports a wide range of authentication ... Its challenge / response mechanisms, ... (FreeBSD-Security) [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-03:15.openssh ... For general information regarding FreeBSD Security Advisories, ... OpenSSH is a free version of the SSH protocol suite of network ... The ssh2 protocol supports a wide range of authentication ... Its challenge / response mechanisms, ... (freebsd-announce) Re: [Full-Disclosure] MacOSX -FreeBSD ... BUT because OSX is partially FreeBSD based ... Category: core, ports ... OpenSSH is a free version of the SSH protocol suite of network ... overflow vulnerability ... (Full-Disclosure)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint