From owner-freebsd-questions Tue Jun 25 15:26:19 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mta06-svc.ntlworld.com (mta06-svc.ntlworld.com [62.253.162.46]) by hub.freebsd.org (Postfix) with ESMTP id B506937B404 for ; Tue, 25 Jun 2002 15:26:10 -0700 (PDT) Received: from lungfish.ntlworld.com ([80.4.0.215]) by mta06-svc.ntlworld.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020625222609.FRJI4119.mta06-svc.ntlworld.com@lungfish.ntlworld.com>; Tue, 25 Jun 2002 23:26:09 +0100 Received: from tuatara.goatsucker.org (tuatara.goatsucker.org [192.168.1.6]) by lungfish.ntlworld.com (8.11.6/8.11.6) with ESMTP id g5PMQ8V01134; Tue, 25 Jun 2002 23:26:08 +0100 (BST) (envelope-from scott@tuatara.goatsucker.org) Received: (from scott@localhost) by tuatara.goatsucker.org (8.12.3/8.12.3/Submit) id g5PMQ6Ox005082; Tue, 25 Jun 2002 23:26:06 +0100 (BST) (envelope-from scott) Date: Tue, 25 Jun 2002 23:26:06 +0100 From: Scott Mitchell To: Matthew Seaman Cc: Christopher Schulte , Lord Raiden , Marco Radzinschi , FreeBDS-Questions Subject: Re: Upcoming OpenSSH vulnerability (fwd) Message-ID: <20020625232606.C381@fishballoon.dyndns.org> References: <5.1.1.6.2.20020624224948.02923518@pop3s.schulte.org> <20020624234646.G22328-100000@mail.radzinschi.com> <4.2.0.58.20020625134233.009992b0@pop.netzero.net> <5.1.1.6.2.20020625124040.041c50f0@pop3s.schulte.org> <20020625205840.B381@fishballoon.dyndns.org> <20020625205928.GA50230@happy-idiot-talk.infracaninophi> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020625205928.GA50230@happy-idiot-talk.infracaninophi>; from m.seaman@infracaninophile.co.uk on Tue, Jun 25, 2002 at 09:59:28PM +0100 X-Operating-System: FreeBSD 4.6-STABLE i386 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Jun 25, 2002 at 09:59:28PM +0100, Matthew Seaman wrote: > On Tue, Jun 25, 2002 at 08:58:40PM +0100, Scott Mitchell wrote: > > > With previous ssh vulnerabilities I've been able to just patch the base > > system, by rebuilding the world or using the patch included with the > > advisory. However, to get to 3.3 it looks like I'd need to install a port. > > > There are two OpenSSH ports: security/openssh and security/openssh-portable > > > What's the difference between these two ports? > > security/openssh is the straight OpenBSD code, also used in NetBSD. > security/openssh-portable is the modified portable version everyone > else uses. The main difference is that openssh-portable includes pam > support. > > > Which one should I install to deal with this vulnerability? > > Either will do: however the plan is that OpenSSH as supplied in the > base system will be upgraded to OpenSSH portable in the very near > future. As there shouldn't be too many FreeBSD specific modifications > to the portable code, it's likely that we'll be tracking new releases > of OpenSSH rather more closely than has been the case up to now. > > I'd install openssh-portable 3.3p1 now, before the full disclosure of > the vulnerability on (I think) Thursday, which should tide you over > until the base system gets 3.4p1 with the full patch. You need to > install 3.3p1 from a ports tree cvsup'd sometime after last night to > get the separation of privilege thing, which will provide almost > complete protection from the security hole. Thanks Matthew, a most helpful answer. I saw all the src/crypto/openssh-portable come across in the cvsup I just ran... hopefully that will come into -STABLE before too long as well. I see the openssh-portable port Makefile has a OPENSSH_OVERWRITE_BASE option. Presumably I can set that and NO_OPENSSH in make.conf to have the port replace the base ssh temporarily -- fewer things to undo when 3.4p1 hits the base system. Any non-obvious disadvantages to that approach that I'm not seeing? Thanks again, Scott -- =========================================================================== Scott Mitchell | PGP Key ID | "Eagles may soar, but weasels Cambridge, England | 0x54B171B9 | don't get sucked into jet engines" scott.mitchell@mail.com | 0xAA775B8B | -- Anon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message