Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 26 Feb 2006 04:23:17 +0200
From:      Giorgos Keramidas <keramida@ceid.upatras.gr>
To:        "Daniel A." <ldrada@gmail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Updating OpenSSH
Message-ID:  <20060226022316.GA56261@flame.pc>
In-Reply-To: <5ceb5d550602251625s59a07426va95de19bb48cb969@mail.gmail.com>
References:  <5ceb5d550602251625s59a07426va95de19bb48cb969@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 2006-02-26 01:25, "Daniel A." <ldrada@gmail.com> wrote:
> Hi, quick question.
> How do I update the OpenSSH which ships with FreeBSD6.0-RELEASE by default?
>
> It's just that I dont feel secure running an old version (4.2p1) of
> OpenSSH when there is a newer (4.3) version available.

To get security fixes, you have to update the base system to at least
one of the security branches or 6-STABLE.

The differences of /usr/src/UPDATING between RELENG_6_0_0_RELEASE (which
marks the 6.0-RELEASE in CVS) and the RELENG_6_0 branch are currently:

# Index: UPDATING
# ===================================================================
# RCS file: /home/ncvs/src/UPDATING,v
# retrieving revision 1.416.2.3.2.5
# retrieving revision 1.416.2.3.2.9
# diff -u -r1.416.2.3.2.5 -r1.416.2.3.2.9
# --- UPDATING    1 Nov 2005 23:43:49 -0000       1.416.2.3.2.5
# +++ UPDATING    25 Jan 2006 10:01:25 -0000      1.416.2.3.2.9
# @@ -8,6 +8,37 @@
#  /usr/ports/UPDATING.  Please read that file before running
#  portupgrade.
#
# +20060125:      p4      FreeBSD-SA-06:06.kmem, FreeBSD-SA-06:07.pf
# +       Make sure buffers in if_bridge are fully initialized before
# +       copying them to userland.  Correct a logic error which could
# +       allow too much data to be copied into userland. [06:06]
# +
# +       Correct an error in pf handling of IP packet fragments which
# +       could result in a kernel panic. [06:07]
# +
# +20060118:      p3      FreeBSD-SA-06:05.80211
# +       Correct a buffer overflow when scanning for 802.11 wireless
# +       networks which can be provoked by corrupt beacon or probe
# +       response frames.
# +
# +20060111:      p2      FreeBSD-SA-06:01.texindex, FreeBSD-SA-06:02.ee,
# +                       FreeBSD-SA-06:03.cpio, FreeBSD-SA-06:04.ipfw
# +       Correct insecure temporary file usage in texindex. [06:01]
# +
# +       Correct insecure temporary file usage in ee. [06:02]
# +
# +       Correct a race condition when setting file permissions,
# +       sanitize file names by default, and fix a buffer overflow
# +       when handling files larger than 4GB in cpio. [06:03]
# +
# +       Fix an error in the handling of IP fragments in ipfw which
# +       can cause a kernel panic. [06:04]
# +
# +20051219:      p1      FreeBSD-EN-05:04.nfs
# +       Correct a locking issue in nfs_lookup() where a call to vrele()
# +       might be made while holding the vnode mutex, which resulted
# +       in kernel panics under certain load patterns.
# +
#  20051101:
#         FreeBSD 6.0-RELEASE
#
# @@ -404,4 +435,4 @@
#  Contact Warner Losh if you have any questions about your use of
#  this document.
#
# -$FreeBSD: src/UPDATING,v 1.416.2.3.2.5 2005/11/01 23:43:49 scottl Exp $
# +$FreeBSD: src/UPDATING,v 1.416.2.3.2.9 2006/01/25 10:01:25 cperciva Exp $

Since there haven't been any security fixes for OpenSSH in the RELENG_6_0
branch, I think you can safely assume it's ok to keep using this OpenSSH
version.

As a general principle though, you should definitely check the announcements
of the security team, at:

    http://www.FreeBSD.org/security/

and decide for yourself when you need to update, how to update, etc.

- Giorgos




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060226022316.GA56261>