Re: Updating OpenSSH
On 17 March 2011 11:52, Robert Huff roberth...@rcn.com wrote: Carmel writes: It is part of the base system. I don't know if it has a true maintainer. In any case, I would need commit privileges which I don't and never expect to have and have no desire to acquire.. I do not believe that is correct; a fair number of people contribute productively to the base system with out being committers. Respectfully, Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org yep you just submit a patch, which if it passes muster will get commited ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Updating OpenSSH
On 16 March 2011 19:47, Carmel carmel...@hotmail.com wrote: On Wed, 16 Mar 2011 11:32:48 -0700 Chuck Swiger cswi...@mac.com articulated: On Mar 16, 2011, at 11:24 AM, Carmel wrote: OK, then does that mean that the latest version will be used in the still not released 9 version of FreeBSD? Currently, no-- TRUNK has: http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/crypto/openssh/version.h Revision 1.41: download - view: text, markup, annotated - select for diffs Thu Nov 11 11:46:19 2010 UTC (4 months ago) by des Branches: MAIN CVS tags: HEAD Diff to: previous 1.40: preferred, colored Changes since revision 1.40: +3 -3 lines SVN rev 215116 on 2010-11-11 11:46:19Z by des Upgrade to OpenSSH 5.6p1. Out of some sort of morbid curiosity, why would the FreeBSD developers not update to the latest version? It appears to be stable and I have not seen anything to state otherwise. There are apparently, (obviously) differences between the latest and the version presently used in FreeBSD and I assume the proposed one for the 9.x branch. Mathew alluded to that. In any case, since 9.x is not due out for a while, it would appear to me me anyways that now would be a good time to consider making the switch. Just my 2¢. -- Carmel carmel...@hotmail.com The latest toy has just hit the shops - a talking Muslim doll. Nobody knows what the hell it says because no one's got the balls to pull the cord. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org a combination of time and limited resources I guess. If it bugs you that much why dont you volunteer yourself to maintain it, i'm sure that if you dont feel competent enough at present, people will help and mentor you ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Updating OpenSSH
On Thu, 17 Mar 2011 10:46:44 + krad kra...@gmail.com articulated: [snip] a combination of time and limited resources I guess. If it bugs you that much why dont you volunteer yourself to maintain it, i'm sure that if you dont feel competent enough at present, people will help and mentor you It is part of the base system. I don't know if it has a true maintainer. In any case, I would need commit privileges which I don't and never expect to have and have no desire to acquire.. It would be nice if the powers that be would elaborate on this simple inquiry; however, I feel that is not likely to happen. -- Carmel ✌ carmel...@hotmail.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Updating OpenSSH
Carmel writes: It is part of the base system. I don't know if it has a true maintainer. In any case, I would need commit privileges which I don't and never expect to have and have no desire to acquire.. I do not believe that is correct; a fair number of people contribute productively to the base system with out being committers. Respectfully, Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Updating OpenSSH
I was just wondering about the version of SSH used on FreeBSD. According to the OpenSSH page: OpenSSH 5.8/5.8p1 released February 4, 2011 [contains security fix] Now, according to my system, FreeBSD-8.2, I have this version: OpenSSH_5.4p1 FreeBSD-20100308, OpenSSL 0.9.8q 2 Dec 2010 # openssl version OpenSSL 1.0.0d 8 Feb 2011 So why is an older version shown? Also, when does the FreeBSD team intend to update the system OpenSSH version? I have the following notation in my /etc/make.conf file: WITH_OPENSSL_PORT=yes Should I have something else also? I have FreeBSD 8.2-STABLE installed. -- Carmel carmel...@hotmail.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Updating OpenSSH
On 16/03/2011 13:38, Carmel wrote: I was just wondering about the version of SSH used on FreeBSD. According to the OpenSSH page: OpenSSH 5.8/5.8p1 released February 4, 2011 [contains security fix] Now, according to my system, FreeBSD-8.2, I have this version: OpenSSH_5.4p1 FreeBSD-20100308, OpenSSL 0.9.8q 2 Dec 2010 # openssl version OpenSSL 1.0.0d 8 Feb 2011 So why is an older version shown? Also, when does the FreeBSD team intend to update the system OpenSSH version? I have the following notation in my /etc/make.conf file: WITH_OPENSSL_PORT=yes Should I have something else also? I have FreeBSD 8.2-STABLE installed. The version of OpenSSH shipped with any release of the OS is exceedingly unlikely to be updated within the lifetime of that release. Not unless there was a killer problem, and it turned out easier to update the whole shebang rather than just patching the problem. Why wasn't OpenSSH updated in stable/8 before 8.2-RELEASE? Good question. I don't actually know. It's quite possible that no one had sufficient spare cycles to do the work required, and that the changes between 5.4 and 5.8 were not sufficiently compelling for anyone to make the time. As for security vulnerabilities: did you check on the OpenSSH site? The vulnerability fixed in 5.8 (information leak in signed SSH keys) only applies to versions 5.6 and 5.7 -- that's because the whole 'signed key' thing isn't in version 5.4 at all. I can tell you that the FreeBSD Security Team is extremely efficient and would have had patches and security advisories out for this problem within a matter of hours of the OpenSSH announcement *if it had been relevant*. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Updating OpenSSH
On Wed, 16 Mar 2011 14:35:09 + Matthew Seaman m.sea...@infracaninophile.co.uk articulated: On 16/03/2011 13:38, Carmel wrote: I was just wondering about the version of SSH used on FreeBSD. According to the OpenSSH page: OpenSSH 5.8/5.8p1 released February 4, 2011 [contains security fix] Now, according to my system, FreeBSD-8.2, I have this version: OpenSSH_5.4p1 FreeBSD-20100308, OpenSSL 0.9.8q 2 Dec 2010 # openssl version OpenSSL 1.0.0d 8 Feb 2011 So why is an older version shown? Also, when does the FreeBSD team intend to update the system OpenSSH version? I have the following notation in my /etc/make.conf file: WITH_OPENSSL_PORT=yes Should I have something else also? I have FreeBSD 8.2-STABLE installed. The version of OpenSSH shipped with any release of the OS is exceedingly unlikely to be updated within the lifetime of that release. Not unless there was a killer problem, and it turned out easier to update the whole shebang rather than just patching the problem. Why wasn't OpenSSH updated in stable/8 before 8.2-RELEASE? Good question. I don't actually know. It's quite possible that no one had sufficient spare cycles to do the work required, and that the changes between 5.4 and 5.8 were not sufficiently compelling for anyone to make the time. OK, then does that mean that the latest version will be used in the still not released 9 version of FreeBSD? As for security vulnerabilities: did you check on the OpenSSH site? The vulnerability fixed in 5.8 (information leak in signed SSH keys) only applies to versions 5.6 and 5.7 -- that's because the whole 'signed key' thing isn't in version 5.4 at all. No, all I did was check for the current version. I can tell you that the FreeBSD Security Team is extremely efficient and would have had patches and security advisories out for this problem within a matter of hours of the OpenSSH announcement *if it had been relevant*. -- Carmel carmel...@hotmail.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Updating OpenSSH
On Mar 16, 2011, at 11:24 AM, Carmel wrote: OK, then does that mean that the latest version will be used in the still not released 9 version of FreeBSD? Currently, no-- TRUNK has: http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/crypto/openssh/version.h Revision 1.41: download - view: text, markup, annotated - select for diffs Thu Nov 11 11:46:19 2010 UTC (4 months ago) by des Branches: MAIN CVS tags: HEAD Diff to: previous 1.40: preferred, colored Changes since revision 1.40: +3 -3 lines SVN rev 215116 on 2010-11-11 11:46:19Z by des Upgrade to OpenSSH 5.6p1. Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Updating OpenSSH
On Wed, 16 Mar 2011 11:32:48 -0700 Chuck Swiger cswi...@mac.com articulated: On Mar 16, 2011, at 11:24 AM, Carmel wrote: OK, then does that mean that the latest version will be used in the still not released 9 version of FreeBSD? Currently, no-- TRUNK has: http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/crypto/openssh/version.h Revision 1.41: download - view: text, markup, annotated - select for diffs Thu Nov 11 11:46:19 2010 UTC (4 months ago) by des Branches: MAIN CVS tags: HEAD Diff to: previous 1.40: preferred, colored Changes since revision 1.40: +3 -3 lines SVN rev 215116 on 2010-11-11 11:46:19Z by des Upgrade to OpenSSH 5.6p1. Out of some sort of morbid curiosity, why would the FreeBSD developers not update to the latest version? It appears to be stable and I have not seen anything to state otherwise. There are apparently, (obviously) differences between the latest and the version presently used in FreeBSD and I assume the proposed one for the 9.x branch. Mathew alluded to that. In any case, since 9.x is not due out for a while, it would appear to me me anyways that now would be a good time to consider making the switch. Just my 2¢. -- Carmel carmel...@hotmail.com The latest toy has just hit the shops - a talking Muslim doll. Nobody knows what the hell it says because no one's got the balls to pull the cord. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Updating OpenSSH
Daniel A. wrote: So, basically, if I want the newest version of OpenSSH running on my system, I have to not use the one shipped with 6.0-RELEASE, and install OpenSSH from ports? Please don't toppost. Installing from ports you'll get version 3.6.1. Before you get paranoid, check the changelog - are there any changes that you actually need? do they provide increased security? Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Updating OpenSSH
On 26/02/06, Erik Nørgaard [EMAIL PROTECTED] wrote: Daniel A. wrote: So, basically, if I want the newest version of OpenSSH running on my system, I have to not use the one shipped with 6.0-RELEASE, and install OpenSSH from ports? Please don't toppost. Installing from ports you'll get version 3.6.1. Before you get paranoid, check the changelog - are there any changes that you actually need? do they provide increased security? Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ I use the openssh-portable there is one change regarding compression that fixes a security problem that wasnt ported over to the security branch and another security flaw which I believe made it to a security list but I cannot remember which one. Again this didnt make the security branch. I also think its a good idea to keep upto date incase they patch up unpublished vulnerabilities that they keep private. Regarding stopping users running base version there are a few ways to do it ranging from deleting the base binaries and disabling it in make.conf so doesnt get rebuilt on a buildworld to making sure /usr/local/bin comes before the /usr/bin in path so when ssh is typed the portable version is ran. Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Updating OpenSSH
Hi, quick question. How do I update the OpenSSH which ships with FreeBSD6.0-RELEASE by default? It's just that I dont feel secure running an old version (4.2p1) of OpenSSH when there is a newer (4.3) version available. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Updating OpenSSH
On 2006-02-26 01:25, Daniel A. [EMAIL PROTECTED] wrote: Hi, quick question. How do I update the OpenSSH which ships with FreeBSD6.0-RELEASE by default? It's just that I dont feel secure running an old version (4.2p1) of OpenSSH when there is a newer (4.3) version available. To get security fixes, you have to update the base system to at least one of the security branches or 6-STABLE. The differences of /usr/src/UPDATING between RELENG_6_0_0_RELEASE (which marks the 6.0-RELEASE in CVS) and the RELENG_6_0 branch are currently: # Index: UPDATING # === # RCS file: /home/ncvs/src/UPDATING,v # retrieving revision 1.416.2.3.2.5 # retrieving revision 1.416.2.3.2.9 # diff -u -r1.416.2.3.2.5 -r1.416.2.3.2.9 # --- UPDATING1 Nov 2005 23:43:49 - 1.416.2.3.2.5 # +++ UPDATING25 Jan 2006 10:01:25 - 1.416.2.3.2.9 # @@ -8,6 +8,37 @@ # /usr/ports/UPDATING. Please read that file before running # portupgrade. # # +20060125: p4 FreeBSD-SA-06:06.kmem, FreeBSD-SA-06:07.pf # + Make sure buffers in if_bridge are fully initialized before # + copying them to userland. Correct a logic error which could # + allow too much data to be copied into userland. [06:06] # + # + Correct an error in pf handling of IP packet fragments which # + could result in a kernel panic. [06:07] # + # +20060118: p3 FreeBSD-SA-06:05.80211 # + Correct a buffer overflow when scanning for 802.11 wireless # + networks which can be provoked by corrupt beacon or probe # + response frames. # + # +20060111: p2 FreeBSD-SA-06:01.texindex, FreeBSD-SA-06:02.ee, # + FreeBSD-SA-06:03.cpio, FreeBSD-SA-06:04.ipfw # + Correct insecure temporary file usage in texindex. [06:01] # + # + Correct insecure temporary file usage in ee. [06:02] # + # + Correct a race condition when setting file permissions, # + sanitize file names by default, and fix a buffer overflow # + when handling files larger than 4GB in cpio. [06:03] # + # + Fix an error in the handling of IP fragments in ipfw which # + can cause a kernel panic. [06:04] # + # +20051219: p1 FreeBSD-EN-05:04.nfs # + Correct a locking issue in nfs_lookup() where a call to vrele() # + might be made while holding the vnode mutex, which resulted # + in kernel panics under certain load patterns. # + # 20051101: # FreeBSD 6.0-RELEASE # # @@ -404,4 +435,4 @@ # Contact Warner Losh if you have any questions about your use of # this document. # # -$FreeBSD: src/UPDATING,v 1.416.2.3.2.5 2005/11/01 23:43:49 scottl Exp $ # +$FreeBSD: src/UPDATING,v 1.416.2.3.2.9 2006/01/25 10:01:25 cperciva Exp $ Since there haven't been any security fixes for OpenSSH in the RELENG_6_0 branch, I think you can safely assume it's ok to keep using this OpenSSH version. As a general principle though, you should definitely check the announcements of the security team, at: http://www.FreeBSD.org/security/ and decide for yourself when you need to update, how to update, etc. - Giorgos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Updating OpenSSH
So, basically, if I want the newest version of OpenSSH running on my system, I have to not use the one shipped with 6.0-RELEASE, and install OpenSSH from ports? On 2/26/06, Giorgos Keramidas [EMAIL PROTECTED] wrote: On 2006-02-26 01:25, Daniel A. [EMAIL PROTECTED] wrote: Hi, quick question. How do I update the OpenSSH which ships with FreeBSD6.0-RELEASE by default? It's just that I dont feel secure running an old version (4.2p1) of OpenSSH when there is a newer (4.3) version available. To get security fixes, you have to update the base system to at least one of the security branches or 6-STABLE. The differences of /usr/src/UPDATING between RELENG_6_0_0_RELEASE (which marks the 6.0-RELEASE in CVS) and the RELENG_6_0 branch are currently: # Index: UPDATING # === # RCS file: /home/ncvs/src/UPDATING,v # retrieving revision 1.416.2.3.2.5 # retrieving revision 1.416.2.3.2.9 # diff -u -r1.416.2.3.2.5 -r1.416.2.3.2.9 # --- UPDATING1 Nov 2005 23:43:49 - 1.416.2.3.2.5 # +++ UPDATING25 Jan 2006 10:01:25 - 1.416.2.3.2.9 # @@ -8,6 +8,37 @@ # /usr/ports/UPDATING. Please read that file before running # portupgrade. # # +20060125: p4 FreeBSD-SA-06:06.kmem, FreeBSD-SA-06:07.pf # + Make sure buffers in if_bridge are fully initialized before # + copying them to userland. Correct a logic error which could # + allow too much data to be copied into userland. [06:06] # + # + Correct an error in pf handling of IP packet fragments which # + could result in a kernel panic. [06:07] # + # +20060118: p3 FreeBSD-SA-06:05.80211 # + Correct a buffer overflow when scanning for 802.11 wireless # + networks which can be provoked by corrupt beacon or probe # + response frames. # + # +20060111: p2 FreeBSD-SA-06:01.texindex, FreeBSD-SA-06:02.ee, # + FreeBSD-SA-06:03.cpio, FreeBSD-SA-06:04.ipfw # + Correct insecure temporary file usage in texindex. [06:01] # + # + Correct insecure temporary file usage in ee. [06:02] # + # + Correct a race condition when setting file permissions, # + sanitize file names by default, and fix a buffer overflow # + when handling files larger than 4GB in cpio. [06:03] # + # + Fix an error in the handling of IP fragments in ipfw which # + can cause a kernel panic. [06:04] # + # +20051219: p1 FreeBSD-EN-05:04.nfs # + Correct a locking issue in nfs_lookup() where a call to vrele() # + might be made while holding the vnode mutex, which resulted # + in kernel panics under certain load patterns. # + # 20051101: # FreeBSD 6.0-RELEASE # # @@ -404,4 +435,4 @@ # Contact Warner Losh if you have any questions about your use of # this document. # # -$FreeBSD: src/UPDATING,v 1.416.2.3.2.5 2005/11/01 23:43:49 scottl Exp $ # +$FreeBSD: src/UPDATING,v 1.416.2.3.2.9 2006/01/25 10:01:25 cperciva Exp $ Since there haven't been any security fixes for OpenSSH in the RELENG_6_0 branch, I think you can safely assume it's ok to keep using this OpenSSH version. As a general principle though, you should definitely check the announcements of the security team, at: http://www.FreeBSD.org/security/ and decide for yourself when you need to update, how to update, etc. - Giorgos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Updating OpenSSH
On 2006-02-26 03:32, Daniel A. [EMAIL PROTECTED] wrote: So, basically, if I want the newest version of OpenSSH running on my system, I have to not use the one shipped with 6.0-RELEASE, and install OpenSSH from ports? Maybe. But do you *want* the latest version? If the base-system version is ok enough for your purpose, why spend the time and effort to install the post, and make sure that the users don't accidentally run the base-sustem version? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
