Date: Sun, 16 Oct 2016 10:45:40 -0700 From: David Wolfskill <david@catwhisker.org> To: Xin Li <delphij@delphij.net> Cc: freebsd-stable@freebsd.org, d@delphij.net Subject: Re: sshd whines & dies after releng/10 "freebsd-update" run Message-ID: <20161016174540.GI1069@albert.catwhisker.org> In-Reply-To: <e411c763-30b7-dee1-24d0-5c6278ef6a65@delphij.net> References: <20161016162605.GG1069@albert.catwhisker.org> <e411c763-30b7-dee1-24d0-5c6278ef6a65@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--ijf6z65S790CMqo8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 16, 2016 at 10:29:00AM -0700, Xin Li wrote: > ...=20 > On 10/16/16 09:26, David Wolfskill wrote: > > And over the last year or so, it's worked pretty well: I have the > > machine set up (as is usually my approach) to be able to boot from > > either of a couple of slices. I use a "dump | restore" pipeline > > to copy the / and /usr file systems from the "active" slice to the > > "inactive" slice, adjust /etc/fstab on the inactive slice to reflect > > reality for when it's the boot slice, then (while the file systemms > > from the other slice are still mounted -- e.g., on /S2) run > > "freebsd-update -b /S2 fetch install", then reboot from the > > newly-updated slice. > >=20 > > In the past, that's Just Worked. >=20 > Your usage probably worked because you were lucky for a few times in the > past. (details below) >=20 > > This weekend, though, I was planning to update my other systems tfrom > > stable/10 to stable/11, so I figured I'd try freebsd-update on this > > machine first. > >=20 > [...] > > root@sisboombah:/tmp # `which sshd` -d > > Undefined symbol "ssh_compat13" referenced from COPY relocation in /usr= /sbin/sshd > >=20 > > Any clues? >=20 > I think this is not going to work (stable/10 -> releng/10.3) due to ABI > incompatibility in a downgrade. I seem to have failed to commnunicate clearly: The machine in question does not, and has not, run "stable". It runs releng. At the moment (on the "old" slice), it reports: sisboombah(10.3-RELEASE-p7)[1] uname -a FreeBSD sisboombah.catwhisker.org 10.3-RELEASE-p7 FreeBSD 10.3-RELEASE-p7 #= 0: Thu Aug 11 18:38:15 UTC 2016 root@amd64-builder.daemonology.net:/usr= /obj/usr/src/sys/GENERIC amd64 sisboombah(10.3-RELEASE-p7)[2]=20 > Basically, freebsd-update is treating your stable/10 as a 10.3-RELEASE > installation and will fetch only changes from 10.3-RELEASE to the latest > patchlevel. I can see that... if the machine were running stable. > Because of a SSH vulnerability that affects 10.3, freebsd-update would > patch libssh (shared library used by sshd and friends), however the > change does not affect the main binary. This worked by replacing your > existing libssh with the one shipped by freebsd-update (effectively > downgraded the library) and that would break sshd. As a reality check: sisboombah(10.3-RELEASE-p7)[4] sudo mount /S2 Password: sisboombah(10.3-RELEASE-p7)[5] sudo mount /S2/usr sisboombah(10.3-RELEASE-p7)[6] ls -lT {,/S2}/usr/lib/private/libssh.so.* -r--r--r-- 1 root wheel 634232 Oct 16 11:57:32 2016 /S2/usr/lib/private/= libssh.so.5 -r--r--r-- 1 root wheel 569864 Jun 5 13:37:52 2016 /usr/lib/private/lib= ssh.so.5 sisboombah(10.3-RELEASE-p7)[7] ls -lT {,/S2}/usr/sbin/ssh* -r-xr-xr-x 1 root wheel 297736 Jun 5 13:38:35 2016 /S2/usr/sbin/sshd -r-xr-xr-x 1 root wheel 297736 Jun 5 13:38:35 2016 /usr/sbin/sshd sisboombah(10.3-RELEASE-p7)[8]=20 > I think upgrade -r 10.2-RELEASE (ideally, 11.0-RELEASE though as it > would eliminate the possibility of any potential incompatibility) would > work because that would result in a full rewrite of all files. Well, I had seen reports of folks having "issues" with attempts to use freebsd-update to get to releng/11 from systems that weren't as up-to-date as they might be; I was actually trying to avoid a problem.... :-} Peace, david --=20 David H. Wolfskill david@catwhisker.org Those who would murder in the name of God or prophet are blasphemous coward= s. See http://www.catwhisker.org/~david/publickey.gpg for my public key. --ijf6z65S790CMqo8 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQF8BAEBCgBmBQJYA7zEXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRDQ0I3Q0VGOTE3QTgwMUY0MzA2NEQ3N0Ix NTM5Q0M0MEEwNDlFRTE3AAoJEBU5zECgSe4X4g4H/jhmqtzk5w0tdx4ZXM/AQL2K weSyfcBo/Z2UkNbY2eI4xa8tGNdrePQBLv8Ezp33aDSJ1/nltbUqC3FdtxQrkWmZ EDm8OdA9n9zUD7dFz3gof/Pr7onB2CcCZ7XAzfdXr/pLx3qQ1qLEM81Tv3rfN4+O pmo3SaBTxLN8qqjQPBJJmN00uH5r94gJUMaTlkQzJXgBllOCytVyy0bOyJNfRakv C6nvIT4aNXtzXyKUxGblQah1ckQb8JGf6Z1i3izGgO1zM111r9nbjdqCX8vuAQZM teueoaSPoVzFqigZV/ycpLMyUA3z+ylDq5OL7f6W2UuLnVKWmzeEKvp+pKJDswk= =XWKl -----END PGP SIGNATURE----- --ijf6z65S790CMqo8--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20161016174540.GI1069>