On Thu, May 21, 2009 at 3:37 PM, David Burgess <apt....@gmail.com> wrote: > http://linux.slashdot.org/article.pl?sid=09/05/21/1824220&from=rss > > What versions run in pfsense? Is this something we should be concerned about? >
This is 6+ month old news, and it's lame, not sure why it's getting so much attention. It's basically impossible to exploit in the real world, aside from scenarios where you have an automatic reconnect on a scripted session, or something of that nature, that will reconnect a few hundred thousand times. It'll take 11,000+ connection killing attempts to get 14 bits, and requires MITM which further greatly reduces the possibility of exploit. info here: http://www.openssh.com/txt/cbc.adv FreeBSD may put out a security advisory, though I suspect if it hasn't been done yet it won't be. This isn't some "OMG the sky is falling!!1!1" issue. To mitigate: if your SSH sessions are getting dropped, don't reconnect over 11,000 times. Don't think anyone's going to do that. With that said, Scott just committed a change to disable CBC. --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org