From owner-freebsd-stable@freebsd.org Sun Oct 16 17:45:53 2016 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4B7C4C1425B for ; Sun, 16 Oct 2016 17:45:53 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from albert.catwhisker.org (mx.catwhisker.org [198.144.209.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 149E41196 for ; Sun, 16 Oct 2016 17:45:52 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from albert.catwhisker.org (localhost [127.0.0.1]) by albert.catwhisker.org (8.15.2/8.15.2) with ESMTP id u9GHjemL006285; Sun, 16 Oct 2016 17:45:40 GMT (envelope-from david@albert.catwhisker.org) Received: (from david@localhost) by albert.catwhisker.org (8.15.2/8.15.2/Submit) id u9GHjegQ006284; Sun, 16 Oct 2016 10:45:40 -0700 (PDT) (envelope-from david) Date: Sun, 16 Oct 2016 10:45:40 -0700 From: David Wolfskill To: Xin Li Cc: freebsd-stable@freebsd.org, d@delphij.net Subject: Re: sshd whines & dies after releng/10 "freebsd-update" run Message-ID: <20161016174540.GI1069@albert.catwhisker.org> Mail-Followup-To: David Wolfskill , Xin Li , freebsd-stable@freebsd.org, d@delphij.net References: <20161016162605.GG1069@albert.catwhisker.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ijf6z65S790CMqo8" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.7.0 (2016-08-17) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Oct 2016 17:45:53 -0000 --ijf6z65S790CMqo8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 16, 2016 at 10:29:00AM -0700, Xin Li wrote: > ...=20 > On 10/16/16 09:26, David Wolfskill wrote: > > And over the last year or so, it's worked pretty well: I have the > > machine set up (as is usually my approach) to be able to boot from > > either of a couple of slices. I use a "dump | restore" pipeline > > to copy the / and /usr file systems from the "active" slice to the > > "inactive" slice, adjust /etc/fstab on the inactive slice to reflect > > reality for when it's the boot slice, then (while the file systemms > > from the other slice are still mounted -- e.g., on /S2) run > > "freebsd-update -b /S2 fetch install", then reboot from the > > newly-updated slice. > >=20 > > In the past, that's Just Worked. >=20 > Your usage probably worked because you were lucky for a few times in the > past. (details below) >=20 > > This weekend, though, I was planning to update my other systems tfrom > > stable/10 to stable/11, so I figured I'd try freebsd-update on this > > machine first. > >=20 > [...] > > root@sisboombah:/tmp # `which sshd` -d > > Undefined symbol "ssh_compat13" referenced from COPY relocation in /usr= /sbin/sshd > >=20 > > Any clues? >=20 > I think this is not going to work (stable/10 -> releng/10.3) due to ABI > incompatibility in a downgrade. I seem to have failed to commnunicate clearly: The machine in question does not, and has not, run "stable". It runs releng. At the moment (on the "old" slice), it reports: sisboombah(10.3-RELEASE-p7)[1] uname -a FreeBSD sisboombah.catwhisker.org 10.3-RELEASE-p7 FreeBSD 10.3-RELEASE-p7 #= 0: Thu Aug 11 18:38:15 UTC 2016 root@amd64-builder.daemonology.net:/usr= /obj/usr/src/sys/GENERIC amd64 sisboombah(10.3-RELEASE-p7)[2]=20 > Basically, freebsd-update is treating your stable/10 as a 10.3-RELEASE > installation and will fetch only changes from 10.3-RELEASE to the latest > patchlevel. I can see that... if the machine were running stable. > Because of a SSH vulnerability that affects 10.3, freebsd-update would > patch libssh (shared library used by sshd and friends), however the > change does not affect the main binary. This worked by replacing your > existing libssh with the one shipped by freebsd-update (effectively > downgraded the library) and that would break sshd. As a reality check: sisboombah(10.3-RELEASE-p7)[4] sudo mount /S2 Password: sisboombah(10.3-RELEASE-p7)[5] sudo mount /S2/usr sisboombah(10.3-RELEASE-p7)[6] ls -lT {,/S2}/usr/lib/private/libssh.so.* -r--r--r-- 1 root wheel 634232 Oct 16 11:57:32 2016 /S2/usr/lib/private/= libssh.so.5 -r--r--r-- 1 root wheel 569864 Jun 5 13:37:52 2016 /usr/lib/private/lib= ssh.so.5 sisboombah(10.3-RELEASE-p7)[7] ls -lT {,/S2}/usr/sbin/ssh* -r-xr-xr-x 1 root wheel 297736 Jun 5 13:38:35 2016 /S2/usr/sbin/sshd -r-xr-xr-x 1 root wheel 297736 Jun 5 13:38:35 2016 /usr/sbin/sshd sisboombah(10.3-RELEASE-p7)[8]=20 > I think upgrade -r 10.2-RELEASE (ideally, 11.0-RELEASE though as it > would eliminate the possibility of any potential incompatibility) would > work because that would result in a full rewrite of all files. Well, I had seen reports of folks having "issues" with attempts to use freebsd-update to get to releng/11 from systems that weren't as up-to-date as they might be; I was actually trying to avoid a problem.... :-} Peace, david --=20 David H. Wolfskill david@catwhisker.org Those who would murder in the name of God or prophet are blasphemous coward= s. See http://www.catwhisker.org/~david/publickey.gpg for my public key. --ijf6z65S790CMqo8 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQF8BAEBCgBmBQJYA7zEXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRDQ0I3Q0VGOTE3QTgwMUY0MzA2NEQ3N0Ix NTM5Q0M0MEEwNDlFRTE3AAoJEBU5zECgSe4X4g4H/jhmqtzk5w0tdx4ZXM/AQL2K weSyfcBo/Z2UkNbY2eI4xa8tGNdrePQBLv8Ezp33aDSJ1/nltbUqC3FdtxQrkWmZ EDm8OdA9n9zUD7dFz3gof/Pr7onB2CcCZ7XAzfdXr/pLx3qQ1qLEM81Tv3rfN4+O pmo3SaBTxLN8qqjQPBJJmN00uH5r94gJUMaTlkQzJXgBllOCytVyy0bOyJNfRakv C6nvIT4aNXtzXyKUxGblQah1ckQb8JGf6Z1i3izGgO1zM111r9nbjdqCX8vuAQZM teueoaSPoVzFqigZV/ycpLMyUA3z+ylDq5OL7f6W2UuLnVKWmzeEKvp+pKJDswk= =XWKl -----END PGP SIGNATURE----- --ijf6z65S790CMqo8--