Dear Sirs, Excuse me if I am wrong, but on the RELENG_4 tag, the openssh port seems to be the old version, and as far as I can see,( on the http://www.freebsd.org/cgi/cvsweb.cgi/src/ RELENG_4 tag) And there are *some* security problems with it: http://www.openbsd.org/errata.html 028: SECURITY FIX: Oct 6, 2000 There are printf-style format string bugs in several privileged programs. Looks like we've missed something. Please note, that -current has the patched (2.2.0) version of openssh. Please note, that the openssh.2.2.0p1 distribution downloaded from openssh.com, fixes it too. Can't understand why this patch, among others: if (fail) { - log(buf); fclose(f); + log("%s",buf); restore_uid(); return 0; } has been published at oct/06, and 2.2.0 is available as of september, in which the above is patched. Just last night compiled openssh2.2.0p1, on my machine, just to replace the buggy code. �he ports is with the old version, nomatter that it has been updated through cvsup 1 week ago, the same done with /usr/src/ tree. As far as I noticed, the above fragment has *not* been present on any of the sources-the ports, under /usr/ports/security/openssh/ and the /usr/src/ RELENG_4 branch.(4.x-stable) Regards, Zvezdelin Vladov __________________________________________________ Do You Yahoo!? Yahoo! Messenger - Talk while you surf! It's FREE. http://im.yahoo.com/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
