Date: Tue, 16 Jul 2002 18:17:33 -0400 From: Warner Joseph <Joseph.Warner@siemens.com> To: "'Matthew Seaman'" <m.seaman@infracaninophile.co.uk> Cc: "'Joshua Lee'" <yid@softhome.net>, freebsd-questions@freebsd.org Subject: RE: Upgrading SSH Message-ID: <F59D56D98019A24391D6396DD708C8210C5AFB@MLVV9MBE.usmlvv1p0a.smshsc.net>
next in thread | raw e-mail | index | archive | help
Thanks Matt! >As a result of the hype surrounding the announcement of the OpenSSH >bug, when it wasn't at all clear exactly what older versions were >affected, the decision was taken to upgrade to the latest portable >OpenSSH 4.3p1 in 4-STABLE. Hence the easiest way to upgrade right now >is just to cvsup a recent version of stable and make world in the >usual fashion. Yes, precisely why I said: "However, it's my understanding that Openssh-3.4 wasn't included" ..meaning "at that time" I agree there was quite a bit of confusion regarding which versions were affected, I was quite confused at the time myself. Upgrading Openssh the way I did, at that time, was the best option for me. I take vulnerabilities seriously and needed ssh patched as quickly as possible with limited downtime. It's good to know I won't have to worry about anything the next time I 'make world'. Thanks for the good info. Joe Siemens - Health Services Joe Warner Operations Technical Analyst II 215 North Admiral Byrd Rd., Salt Lake City, UT 84116 Ph: 801-539-4978 Fax: 801-533-8004 -----Original Message----- From: Matthew Seaman [mailto:m.seaman@infracaninophile.co.uk] Sent: Tuesday, July 16, 2002 3:54 PM To: Warner Joseph Cc: 'Joshua Lee'; freebsd-questions@FreeBSD.ORG Subject: Re: Upgrading SSH On Tue, Jul 16, 2002 at 04:44:35PM -0400, Warner Joseph wrote: > I'm familiar with this and run 'make world' often > in order to stay up to date. However, it's my > understanding that Openssh-3.4 wasn't included > with the base install, meaning that simply running > cvsup and doing a 'make world' would still leave you > with the vulnerable version. Is this incorrect? The ssh bundled with 4-STABLE and the security branches never was vulnerable to the recent OpenSSH compromise. More by luck than judgement --- 4-STABLE was using a version based on OpenSSH 2.9 until recently, and that preceeded the incorporation of the block of code where the bug manifested itself. As a result of the hype surrounding the announcement of the OpenSSH bug, when it wasn't at all clear exactly what older versions were affected, the decision was taken to upgrade to the latest portable OpenSSH 4.3p1 in 4-STABLE. Hence the easiest way to upgrade right now is just to cvsup a recent version of stable and make world in the usual fashion. It turns out that the only version of FreeBSD that ever contained a vulnerable OpenSSH in the base system was 5-CURRENT, as per the recent security advisement: FreeBSD-SA-02:31.openssh.asc (ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02%3A31.openss h.asc) Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Tel: +44 1628 476614 Marlow Fax: +44 0870 0522645 Bucks., SL7 1TH UK ------------------------------------------------------------------------------- This message and any included attachments are from Siemens Medical Solutions Health Services Corporation and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to CSOffice@smed.com. Thank you To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F59D56D98019A24391D6396DD708C8210C5AFB>