Thanks Matt!
As a result of the hype surrounding the announcement of the OpenSSH
bug, when it wasn't at all clear exactly what older versions were
affected, the decision was taken to upgrade to the latest portable
OpenSSH 4.3p1 in 4-STABLE. Hence the easiest way to upgrade right now
is just to cvsup a recent version of stable and make world in the
usual fashion.
Yes, precisely why I said:
However, it's my understanding that Openssh-3.4 wasn't included
..meaning at that time
I agree there was quite a bit of confusion regarding
which versions were affected, I was quite confused
at the time myself. Upgrading Openssh the way I did,
at that time, was the best option for me. I take
vulnerabilities seriously and needed ssh patched as
quickly as possible with limited downtime.
It's good to know I won't have to worry about anything
the next time I 'make world'.
Thanks for the good info.
Joe
Siemens - Health Services
Joe Warner
Operations Technical Analyst II
215 North Admiral Byrd Rd., Salt Lake City, UT 84116
Ph: 801-539-4978
Fax: 801-533-8004
-Original Message-
From: Matthew Seaman [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 16, 2002 3:54 PM
To: Warner Joseph
Cc: 'Joshua Lee'; [EMAIL PROTECTED]
Subject: Re: Upgrading SSH
On Tue, Jul 16, 2002 at 04:44:35PM -0400, Warner Joseph wrote:
I'm familiar with this and run 'make world' often
in order to stay up to date. However, it's my
understanding that Openssh-3.4 wasn't included
with the base install, meaning that simply running
cvsup and doing a 'make world' would still leave you
with the vulnerable version. Is this incorrect?
The ssh bundled with 4-STABLE and the security branches never was
vulnerable to the recent OpenSSH compromise. More by luck than
judgement --- 4-STABLE was using a version based on OpenSSH 2.9 until
recently, and that preceeded the incorporation of the block of code
where the bug manifested itself.
As a result of the hype surrounding the announcement of the OpenSSH
bug, when it wasn't at all clear exactly what older versions were
affected, the decision was taken to upgrade to the latest portable
OpenSSH 4.3p1 in 4-STABLE. Hence the easiest way to upgrade right now
is just to cvsup a recent version of stable and make world in the
usual fashion.
It turns out that the only version of FreeBSD that ever contained a
vulnerable OpenSSH in the base system was 5-CURRENT, as per the recent
security advisement: FreeBSD-SA-02:31.openssh.asc
(ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02%3A31.openss
h.asc)
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
Tel: +44 1628 476614 Marlow
Fax: +44 0870 0522645 Bucks., SL7 1TH UK
---
This message and any included attachments are from Siemens Medical Solutions
Health Services Corporation and are intended only for the addressee(s).
The information contained herein may include trade secrets or privileged or
otherwise confidential information. Unauthorized review, forwarding, printing,
copying, distributing, or using such information is strictly prohibited and may
be unlawful. If you received this message in error, or have reason to believe
you are not authorized to receive it, please promptly delete this message and
notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message