From owner-freebsd-questions  Thu Dec  6 15:52:39 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from kraeusen.nbrewer.com (kraeusen.nbrewer.com [208.42.68.65])
	by hub.freebsd.org (Postfix) with ESMTP id CF8F337B405
	for <freebsd-questions@freebsd.org>; Thu,  6 Dec 2001 15:52:35 -0800 (PST)
Received: by kraeusen.nbrewer.com (Postfix, from userid 1001)
	id 353FDB754; Thu,  6 Dec 2001 17:56:11 -0600 (CST)
Date: Thu, 6 Dec 2001 17:56:11 -0600
From: Christopher Farley <chris@northernbrewer.com>
To: Matthew Luckie <kluckie@ihug.co.nz>
Cc: freebsd-questions@freebsd.org
Subject: Re: Upgrading OpenSSH
Message-ID: <20011206175609.B750@northernbrewer.com>
Mail-Followup-To: Christopher Farley <chris@northernbrewer.com>,
	Matthew Luckie <kluckie@ihug.co.nz>, freebsd-questions@freebsd.org
References: <003b01c17eaf$fcbd1030$1400a8c0@spandex>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <003b01c17eaf$fcbd1030$1400a8c0@spandex>
User-Agent: Mutt/1.3.22.1i
Organization: Northern Brewer, St. Paul, MN
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Matthew Luckie (kluckie@ihug.co.nz) wrote:

> Hi
> 
> I have a machine in the field with FreeBSD 4.1-RELEASE installed.
> The OpenSSH that shipped on that machine is vulnerable to a number of
> exploits.
> 
> What is the best way to fix this machine?  I am comfortable with using cvsup
> and the build tools.  I am happy to do a full cvsup to the system but I
> anticipate that that is a bit heavy handed to fix just openssh.

There may be other benefits, though, like fixing all the other
major vulnerabilities that have accumulated since 4.1-RELEASE.

> Should I be using one of the security branch fix trees?

If you've got a production machine, you might want to track RELENG_4_4
(the security branch fix). If you have less conservative requirements
and can accept the remote possibility of a bug creeping into the system,
the -STABLE branch (RELENG_4) has, for me, proven to be very reliable.

There are several other options for fixing OpenSSH: 
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01%3A63.openssh.asc

-- 
Christopher Farley
www.northernbrewer.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message