From owner-freebsd-questions Tue Jul 16 15:17:44 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A166E37B400 for ; Tue, 16 Jul 2002 15:17:38 -0700 (PDT) Received: from mail.smed.com (mail.smed.com [64.46.248.225]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0AE7B43E42 for ; Tue, 16 Jul 2002 15:17:38 -0700 (PDT) (envelope-from Joseph.Warner@siemens.com) Received: from smtpgate.smshsc.net (unknown [165.226.204.25]) by mail.smed.com (Postfix) with ESMTP id 7BDB147E77 for ; Tue, 16 Jul 2002 18:17:37 -0400 (EDT) Received: from iesa14.smshsc.net (iesa14.smshsc.net [165.226.204.44]) by smtpgate.smshsc.net (8.11.6/8.11.6) with ESMTP id g6GMHbp16550 for ; Tue, 16 Jul 2002 18:17:37 -0400 Received: from mlvexc01.smshsc.net (unverified) by iesa14.smshsc.net (Content Technologies SMTPRS 2.0.15) with ESMTP id ; Tue, 16 Jul 2002 18:17:34 -0400 Received: by mlvexc01.usmlvv1p0a.smshsc.net with Internet Mail Service (5.5.2655.55) id <3W66GFC6>; Tue, 16 Jul 2002 18:17:37 -0400 Message-Id: From: Warner Joseph To: "'Matthew Seaman'" Cc: "'Joshua Lee'" , freebsd-questions@freebsd.org Subject: RE: Upgrading SSH Date: Tue, 16 Jul 2002 18:17:33 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2655.55) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Thanks Matt! >As a result of the hype surrounding the announcement of the OpenSSH >bug, when it wasn't at all clear exactly what older versions were >affected, the decision was taken to upgrade to the latest portable >OpenSSH 4.3p1 in 4-STABLE. Hence the easiest way to upgrade right now >is just to cvsup a recent version of stable and make world in the >usual fashion. Yes, precisely why I said: "However, it's my understanding that Openssh-3.4 wasn't included" ..meaning "at that time" I agree there was quite a bit of confusion regarding which versions were affected, I was quite confused at the time myself. Upgrading Openssh the way I did, at that time, was the best option for me. I take vulnerabilities seriously and needed ssh patched as quickly as possible with limited downtime. It's good to know I won't have to worry about anything the next time I 'make world'. Thanks for the good info. Joe Siemens - Health Services Joe Warner Operations Technical Analyst II 215 North Admiral Byrd Rd., Salt Lake City, UT 84116 Ph: 801-539-4978 Fax: 801-533-8004 -----Original Message----- From: Matthew Seaman [mailto:m.seaman@infracaninophile.co.uk] Sent: Tuesday, July 16, 2002 3:54 PM To: Warner Joseph Cc: 'Joshua Lee'; freebsd-questions@FreeBSD.ORG Subject: Re: Upgrading SSH On Tue, Jul 16, 2002 at 04:44:35PM -0400, Warner Joseph wrote: > I'm familiar with this and run 'make world' often > in order to stay up to date. However, it's my > understanding that Openssh-3.4 wasn't included > with the base install, meaning that simply running > cvsup and doing a 'make world' would still leave you > with the vulnerable version. Is this incorrect? The ssh bundled with 4-STABLE and the security branches never was vulnerable to the recent OpenSSH compromise. More by luck than judgement --- 4-STABLE was using a version based on OpenSSH 2.9 until recently, and that preceeded the incorporation of the block of code where the bug manifested itself. As a result of the hype surrounding the announcement of the OpenSSH bug, when it wasn't at all clear exactly what older versions were affected, the decision was taken to upgrade to the latest portable OpenSSH 4.3p1 in 4-STABLE. Hence the easiest way to upgrade right now is just to cvsup a recent version of stable and make world in the usual fashion. It turns out that the only version of FreeBSD that ever contained a vulnerable OpenSSH in the base system was 5-CURRENT, as per the recent security advisement: FreeBSD-SA-02:31.openssh.asc (ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02%3A31.openss h.asc) Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Tel: +44 1628 476614 Marlow Fax: +44 0870 0522645 Bucks., SL7 1TH UK ------------------------------------------------------------------------------- This message and any included attachments are from Siemens Medical Solutions Health Services Corporation and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to CSOffice@smed.com. Thank you To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message