# FreeBSD SSH Security advisory



## frijsdijk (Nov 19, 2013)

So, finaly, today, the advisory was released for FreeBSD:

http://www.freebsd.org/security/advisories/FreeBSD-SA-13:14.openssh.asc

I'm disappointed in FreeBSD here, the advisory is really late. FreeBSD is supposed to be a secure OS, but it seems that FreeBSD is one of the last that releases the advisory and consequent fix.

Still a lover of the OS, but the tempo could be ramped up a bit, or at least prioritised. Specially with these kind of things. I can imagine it takes some time to make a patch for this, but there was a very easy workaround available. Why not publish that right away?


----------



## SirDice (Nov 19, 2013)

I'm guessing they were a little too busy trying to get 10.0-RELEASE out the door. There are a limited number of people working on FreeBSD and there's only so much they can do.


----------



## kpa (Nov 19, 2013)

The only vulnerable version was the BETA of FreeBSD 10 (that is not even listed as supported yet!) and there was a good workaround for it, namely disabling the vulnerable ciphers in sshd_config(5). Did you know that the people working on providing fixes to these vulnerabilities are all unpaid volunteers? Maybe you could do something yourself too to improve the situation if it's really so bad in your opinion?


----------



## gkontos (Nov 19, 2013)

frijsdijk said:
			
		

> Still a lover of the OS, but the tempo could be ramped up a bit, or at least prioritised. Specially with these kind of things. I can imagine it takes some time to make a patch for this, but there was a very easy workaround available. Why not publish that right away?



A BETA version is not considered production therefore you can expect delays and different priorities than usual.

People with certain experience are encouraged to try the BETA versions mainly for 2 reasons.


Test their environments on a new upcoming release and report possible issues.
Test the new features of the upcoming release and report problems that they discover.

Of course an essential part of this process is to monitor all the relevant mailing lists.

This might sound kind of general but it is the case for most OS's not just FreeBSD.


----------



## frijsdijk (Nov 19, 2013)

Hold on. I thought 9.2-RELEASE was vulnerable as well. But I see in the report of FreeBSD that it isn't. My 9.2-RELEASE box has 
	
	



```
SSH-2.0-OpenSSH_6.2_hpn13v11 FreeBSD-20130515
```

According to http://www.openssh.com/txt/gcmrekey.adv, 6.2 is vulnerable if OpenSSL was compiled with AES-GCM support. Which is isn't. My bad. 

Excuse me!


----------



## kpa (Nov 19, 2013)

Yes and there's also an unmentioned precondition for OpenSSH to be vulnerable. It has to be compiled with support for TLS 1.2 and that requires OpenSSL version 1.0.1 or later. FreeBSD 9 has only version 0.9.8.y of OpenSSL.

http://lists.freebsd.org/pipermail/freebsd-security/2013-November/007259.html


----------



## frijsdijk (Nov 20, 2013)

Clear


----------

