Date: Fri, 18 Jul 2008 10:51:40 -0700 (PDT)
From: Dorr H. Clark
Subject: 7482: please fix cracked web page on your site

Dear Security Focus Dot Com-

I would like you to fix your website.

This page:

makes claims about OpenSSH which are confusing people.
We're getting challenged about staging systems w/o
patches when there is no patch available.

This page is also not consistent with the rest
of your website.

The page makes claims about vulnerable deployments
all the way up to OpenSSH 3.9, and a mix of associated
OSes. But there is no corresponding general alert.
Only Ubuntu Linux ever tracked this, as USN-34-1.

Some people have linked this failure, conceptually,
to CVE-2003-0190 which is on your website as Bugtraq 7467.
But CVE-2003-190 is specific to OpenSSH 3.6.1 and earlier
and many users went to OpenSSH 3.8.1 which was believed
to be sufficient.

One of the following has to be true:

1) 7482 is actually a duplicate of 7467
If so, the vulnerable releases of OpenSSH listed
on this page should be trimmed back to 3.6.1

2) 7482 is different from 7467, but specific to Ubuntu Linux
If so, all the other "claims" of vulnerable OSes
listed on 7482 should be removed

Please clean up this webpage which is misleading users.

AT LEAST please add a statement to this page clarifying
the following point:

FreeBSD 4.7 & later upgraded to OpenSSH 3.8.1
is NOT VULNERABLE to Bugtraq ID 7482.

If all this is wrong, and FreeBSD 4.x running OpenSSH 3.8.1
is actually vulnerable to 7482, then either show us the patch
or explain the required OpenSSH version upgrade,
and reflect this information on your website at the 7482 page.


-Dorr H. Clark

Graduate School of Engineering
Santa Clara University