tech-security: Re: applying NetBSD Security Advisory 2001-010

Subject: Re: applying NetBSD Security Advisory 2001-010
To: Sam Carleton <scarleton@miltonstreet.com>
From: None <rottz@securityflaw.com>
List: tech-security
Date: 07/25/2001 12:42:53

Sam Carleton wrote:
> 
> Folks,
> 
> I have a basic install of NetBSD 1.5.  And I use ssh as my main form of
> access to the box so this is an important update for me.  The
> instructions talk about using the program cvs.  I do NOT have cvs on my
> machine.  Is this part of the whole package setup, which I also don't
> have install?  Or is it something else?  
http://www.netbsd.org/Documentation/software/packages.html
You can find the cvs package in /usr/pkgsrc/devel/cvs
But you can also update your source with the "sup" program.
Which is what most people use to update their src.

>I am under the impressiont that
> this security advisory is informing us that there is a new version of
> ssh, is that true?  If there is a new version of ssh, would it not be
> easier for me to simply download the new version, compile it and
> install?
Its NOT a new version, just a bug fix for the current version.
Version:        NetBSD-current: /usr/sbin/sshd from source before June
14, 2001
                NetBSD 1.5:     affected
                pkgsrc:         openssh packages prior to 2.9p2 (2.9p2
is safe)
> 
> Sam

Rottz
-- 
rottz at securityflaw dot com
Founder of Securityflaw