From nobody Wed Jul 03 02:53:17 2024
X-Original-To: questions@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WDPVn08Ctz5Q76p
	for <questions@mlmmj.nyi.freebsd.org>; Wed, 03 Jul 2024 02:53:53 +0000 (UTC)
	(envelope-from brett@lariat.net)
Received: from mail.lariat.net (mail.lariat.net [66.62.230.51])
	by mx1.freebsd.org (Postfix) with ESMTP id 4WDPVm4CdMz4Z4D
	for <questions@freebsd.org>; Wed,  3 Jul 2024 02:53:52 +0000 (UTC)
	(envelope-from brett@lariat.net)
Authentication-Results: mx1.freebsd.org;
	none
Received: from Toshi.lariat.net (localhost.lariat.org [127.0.0.1])
	by mail.lariat.net (8.9.3/8.9.3) with ESMTP id UAA07651;
	Tue, 2 Jul 2024 20:53:23 -0600 (MDT)
Message-Id: <202407030253.UAA07651@mail.lariat.net>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Tue, 02 Jul 2024 20:53:17 -0600
To: Dan Mahoney <freebsd@gushi.org>
From: Brett Glass <brett@lariat.net>
Subject: Re: Close OpenSSH hole on 13.1-RELEASE server without shutting
  down?
Cc: questions@freebsd.org
In-Reply-To: <BEF296B0-49CF-4A3C-A92D-B115AFC1C127@gushi.org>
References: <202407030050.SAA06884@mail.lariat.net>
 <BEF296B0-49CF-4A3C-A92D-B115AFC1C127@gushi.org>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-questions
List-Help: <mailto:questions+help@freebsd.org>
List-Post: <mailto:questions@freebsd.org>
List-Subscribe: <mailto:questions+subscribe@freebsd.org>
List-Unsubscribe: <mailto:questions+unsubscribe@freebsd.org>
X-BeenThere: freebsd-questions@freebsd.org
Sender: owner-freebsd-questions@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-Spamd-Bar: ----
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:19092, ipnet:66.62.228.0/22, country:US]
X-Rspamd-Queue-Id: 4WDPVm4CdMz4Z4D

At 07:03 PM 7/2/2024, Dan Mahoney wrote:

>There is a workaround posted in the security advisory.

Unfortunately, the "workaround" is in many ways as bad as the 
vulnerability, because it exposes you to DoS attacks.

>You can also firewall off ssh connections from anywhere but trusted sources.

Yep. But if a worm based on this vulnerability begins to propagate, 
it might get behind the firewall. We really want to patch.

--Brett