Date: Sun, 16 Oct 2016 10:45:40 -0700 From: David Wolfskill <david@catwhisker.org> To: Xin Li <delphij@delphij.net> Cc: freebsd-stable@freebsd.org, d@delphij.net Subject: Re: sshd whines & dies after releng/10 "freebsd-update" run Message-ID: <20161016174540.GI1069@albert.catwhisker.org> In-Reply-To: <e411c763-30b7-dee1-24d0-5c6278ef6a65@delphij.net> References: <20161016162605.GG1069@albert.catwhisker.org> <e411c763-30b7-dee1-24d0-5c6278ef6a65@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--ijf6z65S790CMqo8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Oct 16, 2016 at 10:29:00AM -0700, Xin Li wrote:
> ...=20
> On 10/16/16 09:26, David Wolfskill wrote:
> > And over the last year or so, it's worked pretty well: I have the
> > machine set up (as is usually my approach) to be able to boot from
> > either of a couple of slices. I use a "dump | restore" pipeline
> > to copy the / and /usr file systems from the "active" slice to the
> > "inactive" slice, adjust /etc/fstab on the inactive slice to reflect
> > reality for when it's the boot slice, then (while the file systemms
> > from the other slice are still mounted -- e.g., on /S2) run
> > "freebsd-update -b /S2 fetch install", then reboot from the
> > newly-updated slice.
> >=20
> > In the past, that's Just Worked.
>=20
> Your usage probably worked because you were lucky for a few times in the
> past. (details below)
>=20
> > This weekend, though, I was planning to update my other systems tfrom
> > stable/10 to stable/11, so I figured I'd try freebsd-update on this
> > machine first.
> >=20
> [...]
> > root@sisboombah:/tmp # `which sshd` -d
> > Undefined symbol "ssh_compat13" referenced from COPY relocation in /usr=
/sbin/sshd
> >=20
> > Any clues?
>=20
> I think this is not going to work (stable/10 -> releng/10.3) due to ABI
> incompatibility in a downgrade.
I seem to have failed to commnunicate clearly: The machine in question
does not, and has not, run "stable". It runs releng.
At the moment (on the "old" slice), it reports:
sisboombah(10.3-RELEASE-p7)[1] uname -a
FreeBSD sisboombah.catwhisker.org 10.3-RELEASE-p7 FreeBSD 10.3-RELEASE-p7 #=
0: Thu Aug 11 18:38:15 UTC 2016 root@amd64-builder.daemonology.net:/usr=
/obj/usr/src/sys/GENERIC amd64
sisboombah(10.3-RELEASE-p7)[2]=20
> Basically, freebsd-update is treating your stable/10 as a 10.3-RELEASE
> installation and will fetch only changes from 10.3-RELEASE to the latest
> patchlevel.
I can see that... if the machine were running stable.
> Because of a SSH vulnerability that affects 10.3, freebsd-update would
> patch libssh (shared library used by sshd and friends), however the
> change does not affect the main binary. This worked by replacing your
> existing libssh with the one shipped by freebsd-update (effectively
> downgraded the library) and that would break sshd.
As a reality check:
sisboombah(10.3-RELEASE-p7)[4] sudo mount /S2
Password:
sisboombah(10.3-RELEASE-p7)[5] sudo mount /S2/usr
sisboombah(10.3-RELEASE-p7)[6] ls -lT {,/S2}/usr/lib/private/libssh.so.*
-r--r--r-- 1 root wheel 634232 Oct 16 11:57:32 2016 /S2/usr/lib/private/=
libssh.so.5
-r--r--r-- 1 root wheel 569864 Jun 5 13:37:52 2016 /usr/lib/private/lib=
ssh.so.5
sisboombah(10.3-RELEASE-p7)[7] ls -lT {,/S2}/usr/sbin/ssh*
-r-xr-xr-x 1 root wheel 297736 Jun 5 13:38:35 2016 /S2/usr/sbin/sshd
-r-xr-xr-x 1 root wheel 297736 Jun 5 13:38:35 2016 /usr/sbin/sshd
sisboombah(10.3-RELEASE-p7)[8]=20
> I think upgrade -r 10.2-RELEASE (ideally, 11.0-RELEASE though as it
> would eliminate the possibility of any potential incompatibility) would
> work because that would result in a full rewrite of all files.
Well, I had seen reports of folks having "issues" with attempts to
use freebsd-update to get to releng/11 from systems that weren't
as up-to-date as they might be; I was actually trying to avoid a
problem.... :-}
Peace,
david
--=20
David H. Wolfskill david@catwhisker.org
Those who would murder in the name of God or prophet are blasphemous coward=
s.
See http://www.catwhisker.org/~david/publickey.gpg for my public key.
--ijf6z65S790CMqo8
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQF8BAEBCgBmBQJYA7zEXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRDQ0I3Q0VGOTE3QTgwMUY0MzA2NEQ3N0Ix
NTM5Q0M0MEEwNDlFRTE3AAoJEBU5zECgSe4X4g4H/jhmqtzk5w0tdx4ZXM/AQL2K
weSyfcBo/Z2UkNbY2eI4xa8tGNdrePQBLv8Ezp33aDSJ1/nltbUqC3FdtxQrkWmZ
EDm8OdA9n9zUD7dFz3gof/Pr7onB2CcCZ7XAzfdXr/pLx3qQ1qLEM81Tv3rfN4+O
pmo3SaBTxLN8qqjQPBJJmN00uH5r94gJUMaTlkQzJXgBllOCytVyy0bOyJNfRakv
C6nvIT4aNXtzXyKUxGblQah1ckQb8JGf6Z1i3izGgO1zM111r9nbjdqCX8vuAQZM
teueoaSPoVzFqigZV/ycpLMyUA3z+ylDq5OL7f6W2UuLnVKWmzeEKvp+pKJDswk=
=XWKl
-----END PGP SIGNATURE-----
--ijf6z65S790CMqo8--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20161016174540.GI1069>