From owner-freebsd-questions@FreeBSD.ORG Sun Feb 26 02:24:06 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 31E3C16A420 for ; Sun, 26 Feb 2006 02:24:06 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from igloo.linux.gr (igloo.linux.gr [62.1.205.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 66CBE43D45 for ; Sun, 26 Feb 2006 02:24:04 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from flame.pc (patr530-a116.otenet.gr [212.205.215.116]) (authenticated bits=128) by igloo.linux.gr (8.13.5/8.13.5/Debian-3) with ESMTP id k1Q2NfK8009549 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 26 Feb 2006 04:23:47 +0200 Received: from flame.pc (flame [127.0.0.1]) by flame.pc (8.13.4/8.13.4) with ESMTP id k1Q2NICF056331; Sun, 26 Feb 2006 04:23:18 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Received: (from keramida@localhost) by flame.pc (8.13.4/8.13.4/Submit) id k1Q2NH1i056330; Sun, 26 Feb 2006 04:23:17 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Date: Sun, 26 Feb 2006 04:23:17 +0200 From: Giorgos Keramidas To: "Daniel A." Message-ID: <20060226022316.GA56261@flame.pc> References: <5ceb5d550602251625s59a07426va95de19bb48cb969@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5ceb5d550602251625s59a07426va95de19bb48cb969@mail.gmail.com> X-Hellug-MailScanner: Found to be clean X-Hellug-MailScanner-SpamCheck: not spam, SpamAssassin (score=-3.323, required 5, autolearn=not spam, ALL_TRUSTED -1.80, AWL 0.88, BAYES_00 -2.60, DNS_FROM_RFC_ABUSE 0.20) X-Hellug-MailScanner-From: keramida@ceid.upatras.gr Cc: freebsd-questions@freebsd.org Subject: Re: Updating OpenSSH X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Feb 2006 02:24:06 -0000 On 2006-02-26 01:25, "Daniel A." wrote: > Hi, quick question. > How do I update the OpenSSH which ships with FreeBSD6.0-RELEASE by default? > > It's just that I dont feel secure running an old version (4.2p1) of > OpenSSH when there is a newer (4.3) version available. To get security fixes, you have to update the base system to at least one of the security branches or 6-STABLE. The differences of /usr/src/UPDATING between RELENG_6_0_0_RELEASE (which marks the 6.0-RELEASE in CVS) and the RELENG_6_0 branch are currently: # Index: UPDATING # =================================================================== # RCS file: /home/ncvs/src/UPDATING,v # retrieving revision 1.416.2.3.2.5 # retrieving revision 1.416.2.3.2.9 # diff -u -r1.416.2.3.2.5 -r1.416.2.3.2.9 # --- UPDATING 1 Nov 2005 23:43:49 -0000 1.416.2.3.2.5 # +++ UPDATING 25 Jan 2006 10:01:25 -0000 1.416.2.3.2.9 # @@ -8,6 +8,37 @@ # /usr/ports/UPDATING. Please read that file before running # portupgrade. # # +20060125: p4 FreeBSD-SA-06:06.kmem, FreeBSD-SA-06:07.pf # + Make sure buffers in if_bridge are fully initialized before # + copying them to userland. Correct a logic error which could # + allow too much data to be copied into userland. [06:06] # + # + Correct an error in pf handling of IP packet fragments which # + could result in a kernel panic. [06:07] # + # +20060118: p3 FreeBSD-SA-06:05.80211 # + Correct a buffer overflow when scanning for 802.11 wireless # + networks which can be provoked by corrupt beacon or probe # + response frames. # + # +20060111: p2 FreeBSD-SA-06:01.texindex, FreeBSD-SA-06:02.ee, # + FreeBSD-SA-06:03.cpio, FreeBSD-SA-06:04.ipfw # + Correct insecure temporary file usage in texindex. [06:01] # + # + Correct insecure temporary file usage in ee. [06:02] # + # + Correct a race condition when setting file permissions, # + sanitize file names by default, and fix a buffer overflow # + when handling files larger than 4GB in cpio. [06:03] # + # + Fix an error in the handling of IP fragments in ipfw which # + can cause a kernel panic. [06:04] # + # +20051219: p1 FreeBSD-EN-05:04.nfs # + Correct a locking issue in nfs_lookup() where a call to vrele() # + might be made while holding the vnode mutex, which resulted # + in kernel panics under certain load patterns. # + # 20051101: # FreeBSD 6.0-RELEASE # # @@ -404,4 +435,4 @@ # Contact Warner Losh if you have any questions about your use of # this document. # # -$FreeBSD: src/UPDATING,v 1.416.2.3.2.5 2005/11/01 23:43:49 scottl Exp $ # +$FreeBSD: src/UPDATING,v 1.416.2.3.2.9 2006/01/25 10:01:25 cperciva Exp $ Since there haven't been any security fixes for OpenSSH in the RELENG_6_0 branch, I think you can safely assume it's ok to keep using this OpenSSH version. As a general principle though, you should definitely check the announcements of the security team, at: http://www.FreeBSD.org/security/ and decide for yourself when you need to update, how to update, etc. - Giorgos