From owner-freebsd-questions@FreeBSD.ORG Wed Mar 16 14:35:28 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6908A106566B for ; Wed, 16 Mar 2011 14:35:28 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3fd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id BD01F8FC0A for ; Wed, 16 Mar 2011 14:35:27 +0000 (UTC) Received: from russet.local (reflex.squiz.co.uk [83.217.109.164]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id p2GEZGi0091091 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Wed, 16 Mar 2011 14:35:24 GMT (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk p2GEZGi0091091 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1300286124; bh=obYQHs2IiJcfWOmhKOIBABJOi91v3CVmUffNfIqSvwY=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To: Message-ID:Mime-Version:References:To; z=Message-ID:=20<4D80CA9D.9010506@infracaninophile.co.uk>|Date:=20W ed,=2016=20Mar=202011=2014:35:09=20+0000|From:=20Matthew=20Seaman= 20|User-Agent:=20Mozilla/5.0=20(M acintosh=3B=20U=3B=20Intel=20Mac=20OS=20X=2010.6=3B=20en-US=3B=20r v:1.9.2.15)=20Gecko/20110303=20Thunderbird/3.1.9|MIME-Version:=201 .0|To:=20freebsd-questions@freebsd.org|Subject:=20Re:=20Updating=2 0OpenSSH|References:=20|In-Reply-To:=20| X-Enigmail-Version:=201.1.1|Content-Type:=20multipart/signed=3B=20 micalg=3Dpgp-sha1=3B=0D=0A=20protocol=3D"application/pgp-signature "=3B=0D=0A=20boundary=3D"------------enig34D02501BB4635F80E94F258" ; b=G9xaVrI9HlH99VUxerPtFzEbT+BKxm4oDIltERqVoOuhCNNk2XUs9y01/8tJFGNKQ yI/6VyacLh58qs2xVKDaxk9kWyZIZo9Ii2Rt0T4yXrmwF7JeLkt493uskVJsXlMG6H BS+KvIYmsHP2pBbLoLDUhsdbRDChmUdFlRRfpDOo= X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host reflex.squiz.co.uk [83.217.109.164] claimed to be russet.local Message-ID: <4D80CA9D.9010506@infracaninophile.co.uk> Date: Wed, 16 Mar 2011 14:35:09 +0000 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: In-Reply-To: X-Enigmail-Version: 1.1.1 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig34D02501BB4635F80E94F258" X-Virus-Scanned: clamav-milter 0.97 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-0.6 required=5.0 tests=BAYES_05,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_FAIL autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on lucid-nonsense.infracaninophile.co.uk Subject: Re: Updating OpenSSH X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Mar 2011 14:35:28 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig34D02501BB4635F80E94F258 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 16/03/2011 13:38, Carmel wrote: > I was just wondering about the version of SSH used on FreeBSD. >=20 > According to the OpenSSH page: >=20 > OpenSSH 5.8/5.8p1 released February 4, 2011 [contains security fix] >=20 > Now, according to my system, FreeBSD-8.2, I have this version: >=20 > OpenSSH_5.4p1 FreeBSD-20100308, OpenSSL 0.9.8q 2 Dec 2010 >=20 > # openssl version > OpenSSL 1.0.0d 8 Feb 2011 >=20 > So why is an older version shown? Also, when does the FreeBSD > team intend to update the system OpenSSH version? >=20 > I have the following notation in my /etc/make.conf file: >=20 > WITH_OPENSSL_PORT=3Dyes >=20 > Should I have something else also? I have FreeBSD 8.2-STABLE installed.= >=20 The version of OpenSSH shipped with any release of the OS is exceedingly unlikely to be updated within the lifetime of that release. Not unless there was a killer problem, and it turned out easier to update the whole shebang rather than just patching the problem. Why wasn't OpenSSH updated in stable/8 before 8.2-RELEASE? Good question. I don't actually know. It's quite possible that no one had sufficient spare cycles to do the work required, and that the changes between 5.4 and 5.8 were not sufficiently compelling for anyone to make the time. As for security vulnerabilities: did you check on the OpenSSH site? The vulnerability fixed in 5.8 (information leak in signed SSH keys) only applies to versions 5.6 and 5.7 -- that's because the whole 'signed key' thing isn't in version 5.4 at all. I can tell you that the FreeBSD Security Team is extremely efficient and would have had patches and security advisories out for this problem within a matter of hours of the OpenSSH announcement *if it had been relevant*. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enig34D02501BB4635F80E94F258 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2AyqQACgkQ8Mjk52CukIydlwCfUfY3+q+MVFFyQ8npRH+J6IEv BHwAmgIska/E47zeXd+8RiA99PX6lrGn =OHmr -----END PGP SIGNATURE----- --------------enig34D02501BB4635F80E94F258--