Date: Tue, 2 Jul 2024 18:03:28 -0700 From: Dan Mahoney <freebsd@gushi.org> To: Brett Glass <brett@lariat.net> Cc: questions@freebsd.org Subject: Re: Close OpenSSH hole on 13.1-RELEASE server without shutting down? Message-ID: <BEF296B0-49CF-4A3C-A92D-B115AFC1C127@gushi.org> In-Reply-To: <202407030050.SAA06884@mail.lariat.net> References: <202407030050.SAA06884@mail.lariat.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Jul 2, 2024, at 17:50, Brett Glass <brett@lariat.net> wrote: >=20 > Hello! >=20 > We have a server running FreeBSD 13.1-RELEASE (curent patch level: p5) = in a remote location. It's running well, and uses a custom statically = linked kernel with no loadable modules to conserve memory and allow = better security. >=20 > We just found out about the latest OpenSSH bug, and want to patch. = Unfortunately, the freebsd-update utility isn't updating it, because it = is JUST ONE POINT VERSION beyond the earliest one for which the Security = Team has provided updates. And we can't shut the server down to do a = major upgrade right now. (Upgrades to systems using custom kernels are = especially dicey and frequently result in lockouts, which in this case = would not only interrupt important activities but require a 50 mile = drive.) >=20 > Any ideas as to how to JUST upgrade OpenSSH? I've looked at installing = the openssh-portable binary package, but when I start the process by = doing a "pkg update" I get a warning message indicating OS mismatches = for lots of packages. The error messages all include the line >=20 > To ignore this error set IGNORE_OSVERSION=3Dyes >=20 > (which I assume means to start sh, set that environment variable in = the shell, and then run the command). Is this safe? There is a workaround posted in the security advisory. You can also = firewall off ssh connections from anywhere but trusted sources. Note = that if you're still on 13.1 there are other security advisories to be = aware of beyond the ssh one. (Albeit none quite so egregious). -Dan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BEF296B0-49CF-4A3C-A92D-B115AFC1C127>