From owner-freebsd-security Sun Mar 31 12:19: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns1.xtraxion.com (e134174.upc-e.chello.nl [213.93.134.174]) by hub.freebsd.org (Postfix) with ESMTP id 8D31F37B41F for ; Sun, 31 Mar 2002 12:18:53 -0800 (PST) Received: from xp (xp.xtraxion.com [10.0.0.3]) by ns1.xtraxion.com (8.12.2/8.12.2) with SMTP id g2VKLC1s009223; Sun, 31 Mar 2002 22:21:16 +0200 (CEST) From: "Rick Hoppe" To: "Jesper Wallin" Cc: Subject: RE: Why update the world because of OpenSSH? Date: Sun, 31 Mar 2002 22:18:42 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <4487.213.112.58.135.1017583220.squirrel@phucking.kicks-ass.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jesper Wallin wrote: > Once again I make me look like a fool.. > > I'm quite new to both mailinglists and FreeBSD so I'm not sure IF i should > post this or where I should post if.. sorry for pissing you off.. > > Well, for some month ago I saw the warnings about the root exploit for > OpenSSH here. What I never understood what, why should I update my world > because of an OpenSSH exploit? Isn't it enought to just cvsup the > ports and > re-install OpenSSH from the ports? > > > //Jesper aka Z3l3zT > Please take your time to read and understand the FreeBSD Security Advisories. Your answer is already in the security advisory itself. Part of FreeBSD Security Advisory FreeBSD-SA-02:13.openssh : V. Solution Do one of the following: [For OpenSSH included in the base system] 1) Upgrade the vulnerable system to 4.4-RELEASEp9, 4.5-RELEASEp2, or 4.5-STABLE after the correction date and rebuild. 2) FreeBSD 4.x systems prior to the correction date: The following patch has been verified to apply to FreeBSD 4.4-RELEASE, 4.5-RELEASE, and 4.5-STABLE dated prior to the correction date. It may or may not apply to older, unsupported versions of FreeBSD. Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:13/openssh.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:13/openssh.patch.asc Execute the following commands as root: # cd /usr/src # patch < /path/to/sshd.patch # cd /usr/src/secure/lib/libssh # make depend && make all # cd /usr/src/secure/usr.sbin/sshd # make depend && make all install # cd /usr/src/secure/usr.bin/ssh # make depend && make all install This advisory has two solutions for systems with OpenSSH in the base system. It seems the second solution is the best for you. Please note when you already installed the OpenSSH port, the base OpenSSH is still there. So your users may be able to use that one with the security problem instead of the OpenSSH you installed with the port. So you may choose to install the newest OpenSSH port that also is fixed, but don't forget the OpenSSH in the base system. Please use solution 2. Regards, Rick Hoppe Network- and Systemspecialist Xtraxion Internet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message