From nobody@www.freebsd.org Sun May 26 16:27:47 2002 Return-Path: Received: from nwww.freebsd.org (www.FreeBSD.org [216.136.204.117]) by hub.freebsd.org (Postfix) with ESMTP id 3292637B400 for ; Sun, 26 May 2002 16:27:47 -0700 (PDT) Received: from www.freebsd.org (localhost [127.0.0.1]) by nwww.freebsd.org (8.12.2/8.12.2) with ESMTP id g4QNRlhG022673 for ; Sun, 26 May 2002 16:27:47 -0700 (PDT) (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.12.2/8.12.2/Submit) id g4QNRlr7022672; Sun, 26 May 2002 16:27:47 -0700 (PDT) Message-Id: <200205262327.g4QNRlr7022672@www.freebsd.org> Date: Sun, 26 May 2002 16:27:47 -0700 (PDT) From: Geir Råness To: freebsd-gnats-submit@FreeBSD.org Subject: Bug in ssh2 in the ports ! X-Send-Pr-Version: www-1.0 >Number: 38592 >Category: ports >Synopsis: Bug in ssh2 in the ports ! >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun May 26 16:30:02 PDT 2002 >Closed-Date: Tue May 28 14:28:37 PDT 2002 >Last-Modified: Tue May 28 14:28:37 PDT 2002 >Originator: Geir Råness >Release: 4.5 >Organization: >Environment: FreeBSD pulz.mine.nu 4.5-STABLE FreeBSD 4.5-STABLE #0: Mon Apr 22 15:44:46 CEST 2002 geir@pulz.soulcollector.org.uk:/usr/obj/usr/src/sys/PULZ i386 >Description: There has been found and bug in the ssh 3.0.1 to 3.1.0 series. And if you look in ssh2 ports dir, you will see it juse 3.1.0. If you dont conf your config file right, you would be vuln to this bug. Read about it here http://online.securityfocus.com/archive/1/273840/2002-05-23/2002-05-29/0 http://www.ssh.com/products/ssh/advisories/authentication.cfm The maintainer of this port has also been notified about this problem. So at last, i would like to have this port marked as forbidden. And the maintainer shuld update it ! >How-To-Repeat: Install ssh2 3.1.0 and juse standar conf ? ;) >Fix: Either conf your config file right. Patch your current ssh, or you shuld upgraded to the newest version. That is 3.1.2 at this time. >Release-Note: >Audit-Trail: From: "David W. Chapman Jr." To: , Cc: Subject: Re: ports/38592: Bug in ssh2 in the ports ! Date: Sun, 26 May 2002 20:58:26 -0500 This is a multi-part message in MIME format. ------=_NextPart_000_013B_01C204F8.14A6EE40 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I don't believe this is actively maintained anymore, everyone should be = using openssh. If you would care to submit a diff to upgrade this to = the latest version and the maintainer doesn't respond for a few weeks we = can upgrade it. If you don't, and the maintainer doesn't respond, = nothing is likely to happen. ------=_NextPart_000_013B_01C204F8.14A6EE40 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

I don't believe this is actively = maintained=20 anymore, everyone should be using openssh. If you would care to = submit a=20 diff to upgrade this to the latest version and the maintainer doesn't = respond=20 for a few weeks we can upgrade it. If you don't, and the = maintainer=20 doesn't respond, nothing is likely to happen.

------=_NextPart_000_013B_01C204F8.14A6EE40-- From: Lars Eggert To: freebsd-gnats-submit@FreeBSD.org, freebsd@pulz.no Cc: Subject: Re: ports/38592: Bug in ssh2 in the ports ! Date: Tue, 28 May 2002 11:36:55 -0700 This is a cryptographically signed message in MIME format. --------------ms000704090809060908090009 Content-Type: multipart/mixed; boundary="------------020504090609040704070805" This is a multi-part message in MIME format. --------------020504090609040704070805 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit I'm the maintainer, and attached is the update to 3.1.2. Please commit ASAP, since this fixes an important security issue. PR ports/38592 can also be closed after this commit. Thanks, Lars -- Lars Eggert USC Information Sciences Institute --------------020504090609040704070805 Content-Type: text/plain; name="ssh2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ssh2.patch" diff -u ssh2.old/Makefile ssh2/Makefile --- ssh2.old/Makefile Tue May 28 10:46:58 2002 +++ ssh2/Makefile Tue May 28 11:29:42 2002 @@ -6,8 +6,8 @@ # PORTNAME= ssh2 -PORTVERSION= 3.1.0 -PORTREVISION= 1 +PORTVERSION= 3.1.2 +PORTREVISION= 0 CATEGORIES= security ipv6 MASTER_SITES= ftp://ftp.ssh.com/pub/ssh/ \ ftp://sunsite.unc.edu/pub/packages/security/ssh/ \ diff -u ssh2.old/distinfo ssh2/distinfo --- ssh2.old/distinfo Tue May 28 10:46:58 2002 +++ ssh2/distinfo Tue May 28 11:18:33 2002 @@ -1 +1 @@ -MD5 (ssh-3.1.0.tar.gz) = 0a692bff9c0b2cdb1333c4b5bb8d4a1c +MD5 (ssh-3.1.2.tar.gz) = 3da96ec4886063369eb29674b491b2c0 Common subdirectories: ssh2.old/files and ssh2/files --------------020504090609040704070805-- --------------ms000704090809060908090009 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIIrjCC ArUwggIeoAMCAQICAwWBRzANBgkqhkiG9w0BAQIFADCBkjELMAkGA1UEBhMCWkExFTATBgNV BAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUx HTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVl bWFpbCBSU0EgMjAwMC44LjMwMB4XDTAxMDgyNDE2NDAwMFoXDTAyMDgyNDE2NDAwMFowVDEP MA0GA1UEBBMGRWdnZXJ0MQ0wCwYDVQQqEwRMYXJzMRQwEgYDVQQDEwtMYXJzIEVnZ2VydDEc MBoGCSqGSIb3DQEJARYNbGFyc2VAaXNpLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEA0AvLBsD78nxcUHeHkaMgl3b4qYPnfgbf8Lh+HQP8RgGMRG/Yb+vTpkGezlwt9pkJxiD1 1uZDy4CNNJUu3gKxKSb+zRV70O+lkwwftuHoLHoH4xwo3LcQ2LGDpd+I95tUN4dfJ3TmeEcU SF50dC/SuUI4w8AlhXQ8IxrhgdayTpECAwEAAaNWMFQwKgYFK2UBBAEEITAfAgEAMBowGAIB BAQTTDJ1TXlmZkJOVWJOSkpjZFoyczAYBgNVHREEETAPgQ1sYXJzZUBpc2kuZWR1MAwGA1Ud EwEB/wQCMAAwDQYJKoZIhvcNAQECBQADgYEAheZhn0pQA8zI7U2K1ZIAl11j0a1DKxnp3GtT vOUrGRB3WvYxidvdZ1kizhEsWeXU81TkNDH0DaRqtOEeu6Q2OhB+jeKEqY7IDAJE4/fI0e+d 6PnG1hd+vEvYmsKHkmzBhPc94XUOKNWO+qVNP2NGyNI3QIDy5wX4fdcOo1S34r4wggK1MIIC HqADAgECAgMFgUcwDQYJKoZIhvcNAQECBQAwgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxX ZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYD VQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwg UlNBIDIwMDAuOC4zMDAeFw0wMTA4MjQxNjQwMDBaFw0wMjA4MjQxNjQwMDBaMFQxDzANBgNV BAQTBkVnZ2VydDENMAsGA1UEKhMETGFyczEUMBIGA1UEAxMLTGFycyBFZ2dlcnQxHDAaBgkq hkiG9w0BCQEWDWxhcnNlQGlzaS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANAL ywbA+/J8XFB3h5GjIJd2+KmD534G3/C4fh0D/EYBjERv2G/r06ZBns5cLfaZCcYg9dbmQ8uA jTSVLt4CsSkm/s0Ve9DvpZMMH7bh6Cx6B+McKNy3ENixg6XfiPebVDeHXyd05nhHFEhedHQv 0rlCOMPAJYV0PCMa4YHWsk6RAgMBAAGjVjBUMCoGBStlAQQBBCEwHwIBADAaMBgCAQQEE0wy dU15ZmZCTlViTkpKY2RaMnMwGAYDVR0RBBEwD4ENbGFyc2VAaXNpLmVkdTAMBgNVHRMBAf8E AjAAMA0GCSqGSIb3DQEBAgUAA4GBAIXmYZ9KUAPMyO1NitWSAJddY9GtQysZ6dxrU7zlKxkQ d1r2MYnb3WdZIs4RLFnl1PNU5DQx9A2karThHrukNjoQfo3ihKmOyAwCROP3yNHvnej5xtYX frxL2JrCh5JswYT3PeF1DijVjvqlTT9jRsjSN0CA8ucF+H3XDqNUt+K+MIIDODCCAqGgAwIB AgIQZkVyt8x09c9jdkWE0C6RATANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTAT BgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3 dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lv bjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkB FhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAwMDgzMDAwMDAwMFoXDTA0MDgy NzIzNTk1OVowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNV BAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBT ZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3jMypmPHCSVFPtJueCdngcXaiBmClw7jRCmKYzUq bXA8+tyu9+50bzC8M5B/+TRxoKNtmPHDT6Jl2w36S/HW3WGl+YXNVZo1Gp2Sdagnrthy+boC 9tewkd4c6avgGAOofENCUFGHgzzwObSbVIoTh/+zm51JZgAtCYnslGvpoWkCAwEAAaNOMEww KQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDEtMjk3MBIGA1UdEwEB/wQI MAYBAf8CAQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBADGxS0dd+QFx5fVTbF15 1j2YwCYTYoEipxL4IpXoG0m3J3sEObr85vIk65H6vewNKjj3UFWobPcNrUwbvAP0teuiR59s ogxYjTFCCRFssBpp0SsSskBdavl50OouJd2K5PzbDR+dAvNa28o89kTqJmmHf0iezqWf54TY yWJirQXGMYICpjCCAqICAQEwgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJu IENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRD ZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIw MDAuOC4zMAIDBYFHMAkGBSsOAwIaBQCgggFhMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEw HAYJKoZIhvcNAQkFMQ8XDTAyMDUyODE4MzY1NVowIwYJKoZIhvcNAQkEMRYEFJFOZfbCVsyy sEU58AxfxKClF+2+MFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwIC AgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGtBgsqhkiG9w0B CRACCzGBnaCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAG A1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRl IFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMF gUcwDQYJKoZIhvcNAQEBBQAEgYBzm5n2Me6PHHPc4e+C3l5sJR1daMd8P3SSRFtit2XukvG7 FdpMU1ze7SrqR2VfAbDzQwkbh9BL4SdR9uuB2YmiJTcjyceEwJfvZ3g1hNnXTX/uduhObcKu 1bUEmSA5WHbaxDQeTFgLksfD44ddNaXj+iFarFkHLyI2d4/QlpHCVQAAAAAAAA== --------------ms000704090809060908090009-- State-Changed-From-To: open->closed State-Changed-By: petef State-Changed-When: Tue May 28 14:28:14 PDT 2002 State-Changed-Why: Update committed, thanks for the problem report + the patch. http://www.freebsd.org/cgi/query-pr.cgi?pr=38592 >Unformatted: