Subject: Re: applying NetBSD Security Advisory 2001-010
To: Sam Carleton <>
From: None <>
List: tech-security
Date: 07/25/2001 12:42:53
Sam Carleton wrote:
> Folks,
> I have a basic install of NetBSD 1.5.  And I use ssh as my main form of
> access to the box so this is an important update for me.  The
> instructions talk about using the program cvs.  I do NOT have cvs on my
> machine.  Is this part of the whole package setup, which I also don't
> have install?  Or is it something else?
You can find the cvs package in /usr/pkgsrc/devel/cvs
But you can also update your source with the "sup" program.
Which is what most people use to update their src.

>I am under the impressiont that
> this security advisory is informing us that there is a new version of
> ssh, is that true?  If there is a new version of ssh, would it not be
> easier for me to simply download the new version, compile it and
> install?
Its NOT a new version, just a bug fix for the current version.
Version:        NetBSD-current: /usr/sbin/sshd from source before June
14, 2001
                NetBSD 1.5:     affected
                pkgsrc:         openssh packages prior to 2.9p2 (2.9p2
is safe)
> Sam

rottz at securityflaw dot com
Founder of Securityflaw