freebsd security - Nov 2016 - FreeBSD Security Advisory FreeBSD-SA-16:33.openssh

Both 10.1 and 10.2 are going to be unsupported by the end of this
year, that's probably the reason the fix was not included in them.

https://www.freebsd.org/security/#sup

-Kimmo

On Wed, Nov 2, 2016 at 3:57 PM, Martin Simmons <martin at lispworks.com>
wrote:
>>>>>> On Wed,  2 Nov 2016 07:55:33 +0000 (UTC), FreeBSD
Security Advisories said:
>>
>>
============================================================================>>
FreeBSD-SA-16:33.openssh                                    Security Advisory
>>                                                           The FreeBSD
Project
>>
>> Topic:          OpenSSH Remote Denial of Service vulnerability
>>
>> Category:       contrib
>> Module:         OpenSSH
>> Announced:      2016-11-02
>> Affects:        All supported versions of FreeBSD.
>> Corrected:      2016-11-02 06:56:35 UTC (stable/11, 11.0-STABLE)
>>                 2016-11-02 07:23:19 UTC (releng/11.0, 11.0-RELEASE-p3)
>>                 2016-11-02 06:58:47 UTC (stable/10, 10.3-STABLE)
>>                 2016-11-02 07:23:36 UTC (releng/10.3, 10.3-RELEASE-p12)
>> CVE Name:       CVE-2016-8858
>
> Should this be corrected in 10.1-RELEASE as well?
>
> I ask because Debian
> (https://security-tracker.debian.org/tracker/CVE-2016-8858) has marked it
as
> vulnerable in OpenSSH 6.0 and OpenSSH 6.7 and it looks like 10.1-RELEASE
> contains OpenSSH 6.6, which I assume is also vulnerable.
>
> __Martin
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at
freebsd.org"

On 2016/11/03 09:41, Kimmo Paasiala wrote:
> Both 10.1 and 10.2 are going to be unsupported by the end of this
> year, that's probably the reason the fix was not included in them.
> 
> https://www.freebsd.org/security/#sup
> 
Yes, but 10.1 and 10.2 are still supported for the next two months.
That means they should get security patches where warranted until Dec
31st.  There's no point in stating an EoL date if the end of the support
lifetime is effectively a few months before that...

If and advisory hasn't been issued for 10.1 and 10.2 that's because the
Security Team currently don't think the problem applies to those
versions.  It's possible SecTeam are mistaken and will need to update
the advisory, but SecTeam are usually pretty accurate about these things.

	Cheers,

	Matthew
	


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 972 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.freebsd.org/pipermail/freebsd-security/attachments/20161103/2f3d907a/attachment.sig>