Date: Wed, 16 Mar 2011 14:35:09 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-questions@freebsd.org Subject: Re: Updating OpenSSH Message-ID: <4D80CA9D.9010506@infracaninophile.co.uk> In-Reply-To: <BLU0-SMTP8122271A88031B532DC3DA93CE0@phx.gbl> References: <BLU0-SMTP8122271A88031B532DC3DA93CE0@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig34D02501BB4635F80E94F258
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 16/03/2011 13:38, Carmel wrote:
> I was just wondering about the version of SSH used on FreeBSD.
>=20
> According to the OpenSSH page:
>=20
> OpenSSH 5.8/5.8p1 released February 4, 2011 [contains security fix]
>=20
> Now, according to my system, FreeBSD-8.2, I have this version:
>=20
> OpenSSH_5.4p1 FreeBSD-20100308, OpenSSL 0.9.8q 2 Dec 2010
>=20
> # openssl version
> OpenSSL 1.0.0d 8 Feb 2011
>=20
> So why is an older version shown? Also, when does the FreeBSD
> team intend to update the system OpenSSH version?
>=20
> I have the following notation in my /etc/make.conf file:
>=20
> WITH_OPENSSL_PORT=3Dyes
>=20
> Should I have something else also? I have FreeBSD 8.2-STABLE installed.=
>=20
The version of OpenSSH shipped with any release of the OS is exceedingly
unlikely to be updated within the lifetime of that release. Not unless
there was a killer problem, and it turned out easier to update the whole
shebang rather than just patching the problem.
Why wasn't OpenSSH updated in stable/8 before 8.2-RELEASE? Good
question. I don't actually know. It's quite possible that no one had
sufficient spare cycles to do the work required, and that the changes
between 5.4 and 5.8 were not sufficiently compelling for anyone to make
the time.
As for security vulnerabilities: did you check on the OpenSSH site? The
vulnerability fixed in 5.8 (information leak in signed SSH keys) only
applies to versions 5.6 and 5.7 -- that's because the whole 'signed key'
thing isn't in version 5.4 at all.
I can tell you that the FreeBSD Security Team is extremely efficient and
would have had patches and security advisories out for this problem
within a matter of hours of the OpenSSH announcement *if it had been
relevant*.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew@infracaninophile.co.uk Kent, CT11 9PW
--------------enig34D02501BB4635F80E94F258
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2AyqQACgkQ8Mjk52CukIydlwCfUfY3+q+MVFFyQ8npRH+J6IEv
BHwAmgIska/E47zeXd+8RiA99PX6lrGn
=OHmr
-----END PGP SIGNATURE-----
--------------enig34D02501BB4635F80E94F258--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D80CA9D.9010506>