Date: Tue, 02 Jul 2024 18:50:44 -0600 From: Brett Glass <brett@lariat.net> To: questions@freebsd.org Subject: Close OpenSSH hole on 13.1-RELEASE server without shutting down? Message-ID: <202407030050.SAA06884@mail.lariat.net>
next in thread | raw e-mail | index | archive | help
Hello! We have a server running FreeBSD 13.1-RELEASE (curent patch level: p5) in a remote location. It's running well, and uses a custom statically linked kernel with no loadable modules to conserve memory and allow better security. We just found out about the latest OpenSSH bug, and want to patch. Unfortunately, the freebsd-update utility isn't updating it, because it is JUST ONE POINT VERSION beyond the earliest one for which the Security Team has provided updates. And we can't shut the server down to do a major upgrade right now. (Upgrades to systems using custom kernels are especially dicey and frequently result in lockouts, which in this case would not only interrupt important activities but require a 50 mile drive.) Any ideas as to how to JUST upgrade OpenSSH? I've looked at installing the openssh-portable binary package, but when I start the process by doing a "pkg update" I get a warning message indicating OS mismatches for lots of packages. The error messages all include the line To ignore this error set IGNORE_OSVERSION=yes (which I assume means to start sh, set that environment variable in the shell, and then run the command). Is this safe? --Brett Glass
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202407030050.SAA06884>