Date: Fri, 18 Jul 2008 10:51:40 -0700 (PDT) From: Dorr H. Clark <dclark@xxxxxxxxxxxx> To: vuldb@xxxxxxxxxxxxxxxxx Cc: secteam@xxxxxxxxxxx, secureshell@xxxxxxxxxxxxxxxxx Subject: 7482: please fix cracked web page on your site Dear Security Focus Dot Com- I would like you to fix your website. This page: http://www.securityfocus.com/bid/7482/info makes claims about OpenSSH which are confusing people. We're getting challenged about staging systems w/o patches when there is no patch available. This page is also not consistent with the rest of your website. The page makes claims about vulnerable deployments all the way up to OpenSSH 3.9, and a mix of associated OSes. But there is no corresponding general alert. Only Ubuntu Linux ever tracked this, as USN-34-1. Some people have linked this failure, conceptually, to CVE-2003-0190 which is on your website as Bugtraq 7467. But CVE-2003-190 is specific to OpenSSH 3.6.1 and earlier and many users went to OpenSSH 3.8.1 which was believed to be sufficient. One of the following has to be true: 1) 7482 is actually a duplicate of 7467 If so, the vulnerable releases of OpenSSH listed on this page should be trimmed back to 3.6.1 2) 7482 is different from 7467, but specific to Ubuntu Linux If so, all the other "claims" of vulnerable OSes listed on 7482 should be removed Please clean up this webpage which is misleading users. AT LEAST please add a statement to this page clarifying the following point: FreeBSD 4.7 & later upgraded to OpenSSH 3.8.1 is NOT VULNERABLE to Bugtraq ID 7482. If all this is wrong, and FreeBSD 4.x running OpenSSH 3.8.1 is actually vulnerable to 7482, then either show us the patch or explain the required OpenSSH version upgrade, and reflect this information on your website at the 7482 page. Thanks, -Dorr H. Clark Graduate School of Engineering Santa Clara University http://www.cse.scu.edu/~dclark/coen_284_FreeBSD/
