From nobody Wed Jul 3 00:50:44 2024 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WDLmy6vtHz5Prmh for ; Wed, 03 Jul 2024 00:50:58 +0000 (UTC) (envelope-from brett@lariat.net) Received: from mail.lariat.net (mail.lariat.net [66.62.230.51]) by mx1.freebsd.org (Postfix) with ESMTP id 4WDLmy1lxjz4McY for ; Wed, 3 Jul 2024 00:50:58 +0000 (UTC) (envelope-from brett@lariat.net) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of brett@lariat.net designates 66.62.230.51 as permitted sender) smtp.mailfrom=brett@lariat.net Received: from Toshi.lariat.net (localhost.lariat.org [127.0.0.1]) by mail.lariat.net (8.9.3/8.9.3) with ESMTP id SAA06884 for ; Tue, 2 Jul 2024 18:50:44 -0600 (MDT) Message-Id: <202407030050.SAA06884@mail.lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Tue, 02 Jul 2024 18:50:44 -0600 To: questions@freebsd.org From: Brett Glass Subject: Close OpenSSH hole on 13.1-RELEASE server without shutting down? List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Spamd-Bar: - X-Spamd-Result: default: False [-1.63 / 15.00]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-0.99)[-0.993]; NEURAL_HAM_SHORT(-0.94)[-0.937]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+a]; RCVD_NO_TLS_LAST(0.10)[]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:19092, ipnet:66.62.228.0/22, country:US]; MIME_TRACE(0.00)[0:+]; FROM_HAS_DN(0.00)[]; MLMMJ_DEST(0.00)[questions@freebsd.org]; R_DKIM_NA(0.00)[]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DMARC_NA(0.00)[lariat.net]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; ARC_NA(0.00)[] X-Rspamd-Queue-Id: 4WDLmy1lxjz4McY Hello! We have a server running FreeBSD 13.1-RELEASE (curent patch level: p5) in a remote location. It's running well, and uses a custom statically linked kernel with no loadable modules to conserve memory and allow better security. We just found out about the latest OpenSSH bug, and want to patch. Unfortunately, the freebsd-update utility isn't updating it, because it is JUST ONE POINT VERSION beyond the earliest one for which the Security Team has provided updates. And we can't shut the server down to do a major upgrade right now. (Upgrades to systems using custom kernels are especially dicey and frequently result in lockouts, which in this case would not only interrupt important activities but require a 50 mile drive.) Any ideas as to how to JUST upgrade OpenSSH? I've looked at installing the openssh-portable binary package, but when I start the process by doing a "pkg update" I get a warning message indicating OS mismatches for lots of packages. The error messages all include the line To ignore this error set IGNORE_OSVERSION=yes (which I assume means to start sh, set that environment variable in the shell, and then run the command). Is this safe? --Brett Glass