Re: OpenSSH Security (just a question, please no f-war)

From: Bosko Milekic (bmilekic@unixdaemons.com)
Date: 06/26/02


Date: Wed, 26 Jun 2002 14:39:58 -0400
From: Bosko Milekic <bmilekic@unixdaemons.com>
To: Jan Lentfer <Jan.Lentfer@web.de>


On Wed, Jun 26, 2002 at 08:30:41PM +0200, Jan Lentfer wrote:
> Ok all,
>
> i somewhat gave up to follow the OpenSSH conversation on the list. I
> have ONE question:

  I totally understand.

> I am now running 3.3p1 on all my boxes (FreeBSD & Linux) with Privilige
> Separation enabled. Is this configuration secure for now or not?
> Do I have to update to 3.4 as soon as it is in ports or can I take a few
> days until everything has settled and calmed a little?

  According to early reports, privsep should help you diminish the
  severity of the problem. However, since you've already bit the
  bullet, you may as well move on up to 3.4, as that is the official
  version containing the fix. It should be noted that from our
  interpretation, the version of OpenSSH shipping in -STABLE is /not/
  vulnerable to this attack, so there is less reason to panic. However,
  just to be sure, if you already have the means and are well under way,
  move on up to 3.4.

> Regards,
>
> Jan

-- 
Bosko Milekic
bmilekic@unixdaemons.com
bmilekic@FreeBSD.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message