Security Fix Confusion
Colin Percival
colin.percival at wadham.ox.ac.uk
Sat Oct 4 14:04:20 PDT 2003
At 21:27 04/10/2003 +0100, you wrote:
>I'm wondering if anybody could enlighten me about the effect of tracking
>RELENG?
Assuming you mean RELENG_x_y: You'll get critical security fixes for
that release, for as long as that release is supported.
>However, a '/usr/sbin/sshd -\?' shows the version of OpenSSH running as
>being OpenSSH_3.4p1.
If it reports "sshd version OpenSSH_3.4p1 FreeBSD-20030924", you're
safe. The "FreeBSD-20030924" means that it includes the latest fixes
(incorporated by des@ on September 24th, part of SA-03:15).
> Scanning the box with Nessus warns of the security hole
>associated with versions of OpenSSH prior to 3.7.1p2 and warned about in
>SA-03:12
>
>So, ms question is, am I actually covered by 4.7-RELEASE-p21 and Nessus is
>giving a false positive, or am I still potentially vulnerable?
Looks like a false positive to me.
Colin Percival
More information about the freebsd-security
mailing list