Bug 58153

Summary: 4.9 default with vulnerable openssh 3.5
Product: Base System Reporter: Charlie & <root>
Component: binAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description Charlie & 2003-10-17 00:40:16 UTC 
	4.9 (current RC2) is still distributing openssh 3.5p1
	which is a vulnerable version of openssh.
	For 4.9-RELEASE, this needs to be changed to openssh-3.7p2

Fix: 

build openssh-3.7p2 for formal 4.9-RELEASE
Comment 1 Kris Kennaway freebsd_committer freebsd_triage 2003-10-17 07:23:37 UTC 
State Changed
From-To: open->closed

As documented in the recent advisory, OpenSSH has been 
patched in all supported versions of FreeBSD.
Comment 2 Peter Pentchev 2003-10-22 07:25:48 UTC 
On Tue, Oct 21, 2003 at 11:20:01AM -0700, Jin Guojun [NCS] wrote:
> Daan van de Linde wrote:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > > >Description:
> > >       4.9 (current RC2) is still distributing openssh 3.5p1
> > >       which is a vulnerable version of openssh.
> > >       For 4.9-RELEASE, this needs to be changed to openssh-3.7p2
> >
> > It should be changed to openssh 3.7.1p2.
> > I vaguely remember that the base-ssh (3.5) was patched for the
> > vurlnerability's. Can be checked by the freebsd admendum in the
> > sshd_config.
> >
> > - --Daan
> 
> The 4.9-RC3 still has 3.5p1. It is hard to tell if it is patched.
> If it is patched, the banner should be changed at least. Otherwise,
> it is not very useful, because users have no idea if this is secure.
> 
> Also, the security scan is based on the banner. Once they saw
> a such old version, they will simply block  connections to 4.9
> hosts.


As Daan wrote, you can check whether the server is patched or not by
examining its version addendum string.  If you take a look at the actual
FreeBSD security advisories, specifically FreeBSD-SA-03:12 (released on
September 17th) and FreeBSD-SA-03:15 (released on October 5th), linked
from the http://www.FreeBSD.org/ website, you can see that at the end of
the advisories there are procedures for checking whether the patches
have been applied, and those procedures specifically check the SSH
version addendum string ('FreeBSD-20030924' for the last advisory).

Also, the version addendum string *is* displayed in the banner; any
scanner software should be able to tell the difference between
'SSH-1.99-OpenSSH_3.5p1' (the plain vanilla OpenSSH 3.5p1 banner) and
'SSH-1.99-OpenSSH_3.5p1 FreeBSD-20030924' (the banner displayed by the
patched OpenSSH server in the RELENG_4 branch - the one in 4.9RC3 and
the upcoming 4.9RC).  Thus, yes, the SSH server's banner does indeed
give sufficient indication that the SSH vulnerabilities have been
patched.

G'luck,
Peter

-- 
Peter Pentchev	roam@ringlet.net    roam@sbnd.net    roam@FreeBSD.org
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
What would this sentence be like if pi were 3?