From owner-freebsd-questions Tue Jul 16 14:54:29 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4500537B400 for ; Tue, 16 Jul 2002 14:54:26 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3CE9043E58 for ; Tue, 16 Jul 2002 14:54:25 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1]) by smtp.infracaninophile.co.uk (8.12.5/8.12.5) with ESMTP id g6GLsNbo037752; Tue, 16 Jul 2002 22:54:23 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.5/8.12.5/Submit) id g6GLsIL2037751; Tue, 16 Jul 2002 22:54:18 +0100 (BST) Date: Tue, 16 Jul 2002 22:54:18 +0100 From: Matthew Seaman To: Warner Joseph Cc: "'Joshua Lee'" , freebsd-questions@FreeBSD.ORG Subject: Re: Upgrading SSH Message-ID: <20020716215418.GA37671@happy-idiot-talk.infracaninophi> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.1i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Jul 16, 2002 at 04:44:35PM -0400, Warner Joseph wrote: > I'm familiar with this and run 'make world' often > in order to stay up to date. However, it's my > understanding that Openssh-3.4 wasn't included > with the base install, meaning that simply running > cvsup and doing a 'make world' would still leave you > with the vulnerable version. Is this incorrect? The ssh bundled with 4-STABLE and the security branches never was vulnerable to the recent OpenSSH compromise. More by luck than judgement --- 4-STABLE was using a version based on OpenSSH 2.9 until recently, and that preceeded the incorporation of the block of code where the bug manifested itself. As a result of the hype surrounding the announcement of the OpenSSH bug, when it wasn't at all clear exactly what older versions were affected, the decision was taken to upgrade to the latest portable OpenSSH 4.3p1 in 4-STABLE. Hence the easiest way to upgrade right now is just to cvsup a recent version of stable and make world in the usual fashion. It turns out that the only version of FreeBSD that ever contained a vulnerable OpenSSH in the base system was 5-CURRENT, as per the recent security advisement: FreeBSD-SA-02:31.openssh.asc (ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02%3A31.openssh.asc) Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Tel: +44 1628 476614 Marlow Fax: +44 0870 0522645 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message