freebsd security - May 2003 - OpenSSH-portable <= 3.6.1p1 bug?

Hi:
I Read these security advisory.
http://lab.mediaservice.net/advisory/2003-01-openssh.txt
Is my FreeBSD 5.0 afected? What other versions are afected?

Thanks.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030512/6e798f7b/attachment.bin

I think this explains it pretty well: (it's under section 3. of the advisory
you posted).

<blockquote>
NOTE. FreeBSD uses both a different PAM implementation and a different PAM
support in OpenSSH: it doesn't seem to be vulnerable to this particular
timing
leak issue.

All OpenSSH-portable releases <= OpenSSH_3.6.1p1 compiled with PAM support 
enabled (./configure --with-pam) are vulnerable to this information leak. The
PAMAuthenticationViaKbdInt directive doesn't need to be enabled in
sshd_config.
</blockquote>

Howevever, it lists MACOSX as "unconfirmed". I thought MACOSX used
the FreeBSD ssh implementation.

On Mon, May 12, 2003 at 11:31:03PM +0200, Omar Lopez
wrote:
> Hi:
> I Read these security advisory.
> http://lab.mediaservice.net/advisory/2003-01-openssh.txt
> Is my FreeBSD 5.0 afected? What other versions are afected?
> 
> Thanks.
> 
-- 
Peter C. Lai
University of Connecticut
Dept. of Molecular and Cell Biology
Yale University School of Medicine
SenseLab | Research Assistant
http://cowbert.2y.net/