Date: Tue, 25 Jun 2002 23:26:06 +0100 From: Scott Mitchell <scott.mitchell@mail.com> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: Christopher Schulte <schulte+freebsd@nospam.schulte.org>, Lord Raiden <raiden23@netzero.net>, Marco Radzinschi <marco@radzinschi.com>, FreeBDS-Questions <freebsd-questions@FreeBSD.ORG> Subject: Re: Upcoming OpenSSH vulnerability (fwd) Message-ID: <20020625232606.C381@fishballoon.dyndns.org> In-Reply-To: <20020625205928.GA50230@happy-idiot-talk.infracaninophi>; from m.seaman@infracaninophile.co.uk on Tue, Jun 25, 2002 at 09:59:28PM %2B0100 References: <5.1.1.6.2.20020624224948.02923518@pop3s.schulte.org> <20020624234646.G22328-100000@mail.radzinschi.com> <4.2.0.58.20020625134233.009992b0@pop.netzero.net> <5.1.1.6.2.20020625124040.041c50f0@pop3s.schulte.org> <20020625205840.B381@fishballoon.dyndns.org> <20020625205928.GA50230@happy-idiot-talk.infracaninophi>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jun 25, 2002 at 09:59:28PM +0100, Matthew Seaman wrote: > On Tue, Jun 25, 2002 at 08:58:40PM +0100, Scott Mitchell wrote: > > > With previous ssh vulnerabilities I've been able to just patch the base > > system, by rebuilding the world or using the patch included with the > > advisory. However, to get to 3.3 it looks like I'd need to install a port. > > > There are two OpenSSH ports: security/openssh and security/openssh-portable > > > What's the difference between these two ports? > > security/openssh is the straight OpenBSD code, also used in NetBSD. > security/openssh-portable is the modified portable version everyone > else uses. The main difference is that openssh-portable includes pam > support. > > > Which one should I install to deal with this vulnerability? > > Either will do: however the plan is that OpenSSH as supplied in the > base system will be upgraded to OpenSSH portable in the very near > future. As there shouldn't be too many FreeBSD specific modifications > to the portable code, it's likely that we'll be tracking new releases > of OpenSSH rather more closely than has been the case up to now. > > I'd install openssh-portable 3.3p1 now, before the full disclosure of > the vulnerability on (I think) Thursday, which should tide you over > until the base system gets 3.4p1 with the full patch. You need to > install 3.3p1 from a ports tree cvsup'd sometime after last night to > get the separation of privilege thing, which will provide almost > complete protection from the security hole. Thanks Matthew, a most helpful answer. I saw all the src/crypto/openssh-portable come across in the cvsup I just ran... hopefully that will come into -STABLE before too long as well. I see the openssh-portable port Makefile has a OPENSSH_OVERWRITE_BASE option. Presumably I can set that and NO_OPENSSH in make.conf to have the port replace the base ssh temporarily -- fewer things to undo when 3.4p1 hits the base system. Any non-obvious disadvantages to that approach that I'm not seeing? Thanks again, Scott -- =========================================================================== Scott Mitchell | PGP Key ID | "Eagles may soar, but weasels Cambridge, England | 0x54B171B9 | don't get sucked into jet engines" scott.mitchell@mail.com | 0xAA775B8B | -- Anon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020625232606.C381>