From owner-freebsd-stable@freebsd.org Sun Oct 16 17:29:11 2016 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D3041C14E0F for ; Sun, 16 Oct 2016 17:29:11 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 DV Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B4D12194E for ; Sun, 16 Oct 2016 17:29:11 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from Xins-MBP.iot.rhv.delphij.net (unknown [IPv6:2601:646:8882:7525:c1ee:9a8:c78c:6bd0]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id 999A3D182; Sun, 16 Oct 2016 10:29:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1476638944; x=1476653344; bh=2uhehaLTzLdu2i3gZQILf9deQ3pDPlOy39qrBvHKSnk=; h=Subject:To:References:Cc:From:Date:In-Reply-To; b=L2f3Xij6ZWIyzAETuGWWfhgFp/X5LK6/RwkU0S6jgLxcf5hHSIwHeG3ygueNRz6b/ Vil4kb4zbwusKsCWijwM1tMXXIvYFpQ6ElMPx7Fa0ewHuADrG+RR0VXPUVQQ5UIgP6 4Z/AmjbyyNOT1vIfIuh+Z80I99vJvsQLp/A05sAI= Subject: Re: sshd whines & dies after releng/10 "freebsd-update" run To: freebsd-stable@freebsd.org References: <20161016162605.GG1069@albert.catwhisker.org> Cc: d@delphij.net From: Xin Li Message-ID: Date: Sun, 16 Oct 2016 10:29:00 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: <20161016162605.GG1069@albert.catwhisker.org> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="6KaIaepDKmP8CqG8GgLmLs2KmCwLs0pxe" X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Oct 2016 17:29:11 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --6KaIaepDKmP8CqG8GgLmLs2KmCwLs0pxe Content-Type: multipart/mixed; boundary="B3lE4bjic3FjH3tFPJQ1K3ucgNxkXqCHa"; protected-headers="v1" From: Xin Li To: freebsd-stable@freebsd.org Cc: d@delphij.net Message-ID: Subject: Re: sshd whines & dies after releng/10 "freebsd-update" run References: <20161016162605.GG1069@albert.catwhisker.org> In-Reply-To: <20161016162605.GG1069@albert.catwhisker.org> --B3lE4bjic3FjH3tFPJQ1K3ucgNxkXqCHa Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 10/16/16 09:26, David Wolfskill wrote: > And over the last year or so, it's worked pretty well: I have the > machine set up (as is usually my approach) to be able to boot from > either of a couple of slices. I use a "dump | restore" pipeline > to copy the / and /usr file systems from the "active" slice to the > "inactive" slice, adjust /etc/fstab on the inactive slice to reflect > reality for when it's the boot slice, then (while the file systemms > from the other slice are still mounted -- e.g., on /S2) run > "freebsd-update -b /S2 fetch install", then reboot from the > newly-updated slice. >=20 > In the past, that's Just Worked. Your usage probably worked because you were lucky for a few times in the past. (details below) > This weekend, though, I was planning to update my other systems tfrom > stable/10 to stable/11, so I figured I'd try freebsd-update on this > machine first. >=20 [...] > root@sisboombah:/tmp # `which sshd` -d > Undefined symbol "ssh_compat13" referenced from COPY relocation in /usr= /sbin/sshd >=20 > Any clues? I think this is not going to work (stable/10 -> releng/10.3) due to ABI incompatibility in a downgrade. Basically, freebsd-update is treating your stable/10 as a 10.3-RELEASE installation and will fetch only changes from 10.3-RELEASE to the latest patchlevel. Because of a SSH vulnerability that affects 10.3, freebsd-update would patch libssh (shared library used by sshd and friends), however the change does not affect the main binary. This worked by replacing your existing libssh with the one shipped by freebsd-update (effectively downgraded the library) and that would break sshd. I think upgrade -r 10.2-RELEASE (ideally, 11.0-RELEASE though as it would eliminate the possibility of any potential incompatibility) would work because that would result in a full rewrite of all files. Cheers, --B3lE4bjic3FjH3tFPJQ1K3ucgNxkXqCHa-- --6KaIaepDKmP8CqG8GgLmLs2KmCwLs0pxe Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYA7jfAAoJEJW2GBstM+nsDKQQAKnxEzD9J9ZDI0dz84Ijcdh9 +3IkL7dVOsAwjDbw6Pn4W/DLvpXoBKDDd/zwEwuHpAaz/hhk841q5j+LTUFcZ/GC hgNcmM7reETr7GKr9QQMZX//xEnhfONMK/b3zuEcbvVxZvbhxbMSLux6KRqBF6y0 O6tGxTWt4icanVVEeUw6lfgcI6vby8TYT+zBPs0gYjRgHEs5robPEs/qG2lCuRtv tzf/iWKLeTm+vRlL+XIu9xBPz3yjyfUv8+UY6bnNCb/79QKv3FZnmgTBnB01XfCA 6ZBP45EDK/LrqsBGcLzon+ugSF5detq+YoP0yuWgoCfHgEzZBxSwQkQSggCPFksp yOneHtk4Dh15MlR4yHOhyJosCyqU4XVN5hdS2MJpev3RhdvVFEhonjY4fwBX5gi5 Eudlhxsqqk+e54+EM+cIGLHRsDMgbLaKqZYBtblDqXOcrwspGpVKNiPIdUu5tDRH lRFdG7ZIgJLCBnG2gjhAlMiI5inAgLs9omonmXSFHBG5kWH0aDaCCKiwmJmbeAKi kUqj8TQwsYApMWtM1zRRlPHaA4OLFUYH6aRZh6IxZjQvKkYZpFabKnHv22cRBpsQ WKA9QcySmPCFIoy5tdWkx/dXtTpHRTu5rOPEWU0SDJSzHuiWjXgX0cqgeM3BFSHX Xn32o3nRvA7/O7IunhbG =TbFP -----END PGP SIGNATURE----- --6KaIaepDKmP8CqG8GgLmLs2KmCwLs0pxe--