1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

FreeBSD SSH Security advisory

Discussion in 'General' started by frijsdijk, Nov 19, 2013.

  1. frijsdijk

    frijsdijk Member

    Messages:
    207
    Thanks Received:
    15
    So, finaly, today, the advisory was released for FreeBSD:

    http://www.freebsd.org/security/advisories/FreeBSD-SA-13:14.openssh.asc

    I'm disappointed in FreeBSD here, the advisory is really late. FreeBSD is supposed to be a secure OS, but it seems that FreeBSD is one of the last that releases the advisory and consequent fix.

    Still a lover of the OS, but the tempo could be ramped up a bit, or at least prioritised. Specially with these kind of things. I can imagine it takes some time to make a patch for this, but there was a very easy workaround available. Why not publish that right away?
     
  2. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,621
    Thanks Received:
    2,383
    I'm guessing they were a little too busy trying to get 10.0-RELEASE out the door. There are a limited number of people working on FreeBSD and there's only so much they can do.
     
  3. kpa

    kpa Well-Known Member

    Messages:
    4,106
    Thanks Received:
    812
    The only vulnerable version was the BETA of FreeBSD 10 (that is not even listed as supported yet!) and there was a good workaround for it, namely disabling the vulnerable ciphers in sshd_config(5). Did you know that the people working on providing fixes to these vulnerabilities are all unpaid volunteers? Maybe you could do something yourself too to improve the situation if it's really so bad in your opinion?
     
    zspider thanks for this.
  4. gkontos

    gkontos Active Member

    Messages:
    1,395
    Thanks Received:
    246
    A BETA version is not considered production therefore you can expect delays and different priorities than usual.

    People with certain experience are encouraged to try the BETA versions mainly for 2 reasons.

    • Test their environments on a new upcoming release and report possible issues.
    • Test the new features of the upcoming release and report problems that they discover.

    Of course an essential part of this process is to monitor all the relevant mailing lists.

    This might sound kind of general but it is the case for most OS's not just FreeBSD.
     
  5. frijsdijk

    frijsdijk Member

    Messages:
    207
    Thanks Received:
    15
    Hold on. I thought 9.2-RELEASE was vulnerable as well. But I see in the report of FreeBSD that it isn't. My 9.2-RELEASE box has
    Code:
    SSH-2.0-OpenSSH_6.2_hpn13v11 FreeBSD-20130515


    According to http://www.openssh.com/txt/gcmrekey.adv, 6.2 is vulnerable if OpenSSL was compiled with AES-GCM support. Which is isn't. My bad.

    Excuse me!
     
  6. kpa

    kpa Well-Known Member

    Messages:
    4,106
    Thanks Received:
    812
    frijsdijk thanks for this.
  7. frijsdijk

    frijsdijk Member

    Messages:
    207
    Thanks Received:
    15