FreeBSD Security Advisory FreeBSD-SA-16:33.openssh

Xin LI delphij at gmail.com
Fri Nov 4 17:08:09 UTC 2016 

The issue was originally reported to us as affecting OpenSSH 6.8+
(reference: RedHat bugtracker
https://bugzilla.redhat.com/show_bug.cgi?id=1384860), and therefore
9.3, 10.1 and 10.2 were not believed to be affected, so the "Affects:
All supported versions of FreeBSD" was a mistake in the original
advisory text.

We will investigate if the statement is true and will issue patches
for earlier FreeBSD releases, if they are confirmed to be affected.
The patch for 10.x can be amended (change "ssh_dispatch_set" to
"dispatch_set") to adapt to the earlier releases, by the way.

On Fri, Nov 4, 2016 at 2:08 AM, Vladimir Terziev
<Vladimir.Terziev at bwinparty.com> wrote:
> Hi,
>
> if you look at the advisory, it states "Affects:        All supported versions of FreeBSD.", while in the "Corrected" section 10.1 & 10.2 are missing.
>
> They are still supported, so the fix for them must be developed or they must be listed as not affected, if that's the case.
>
>
> Regards,
>
> Vladimir
>
>
> On Nov 4, 2016, at 11:01 AM, Gregory Orange <gregory.orange at calorieking.com> wrote:
>
>> On 04/11/16 16:39, Kubilay Kocak wrote:
>>> Security advisories should state explicitly when otherwise supported
>>> versions are not vulnerable. It's surprising this isn't already the case.
>> I disagree. If none of the version I have installed are listed, I don't read the rest of the advisory. Time saved. Listing them in a 'not affected' part of the message would add complexity and parsing for me - less time saved.
>>
>> Greg.
>> _______________________________________________
>> freebsd-security at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-security
>> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"

More information about the freebsd-security mailing list