Date: Tue, 16 Jul 2002 22:54:18 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Warner Joseph <Joseph.Warner@siemens.com> Cc: "'Joshua Lee'" <yid@softhome.net>, freebsd-questions@FreeBSD.ORG Subject: Re: Upgrading SSH Message-ID: <20020716215418.GA37671@happy-idiot-talk.infracaninophi> In-Reply-To: <F59D56D98019A24391D6396DD708C8210C5AF3@MLVV9MBE.usmlvv1p0a.smshsc.net> References: <F59D56D98019A24391D6396DD708C8210C5AF3@MLVV9MBE.usmlvv1p0a.smshsc.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 16, 2002 at 04:44:35PM -0400, Warner Joseph wrote: > I'm familiar with this and run 'make world' often > in order to stay up to date. However, it's my > understanding that Openssh-3.4 wasn't included > with the base install, meaning that simply running > cvsup and doing a 'make world' would still leave you > with the vulnerable version. Is this incorrect? The ssh bundled with 4-STABLE and the security branches never was vulnerable to the recent OpenSSH compromise. More by luck than judgement --- 4-STABLE was using a version based on OpenSSH 2.9 until recently, and that preceeded the incorporation of the block of code where the bug manifested itself. As a result of the hype surrounding the announcement of the OpenSSH bug, when it wasn't at all clear exactly what older versions were affected, the decision was taken to upgrade to the latest portable OpenSSH 4.3p1 in 4-STABLE. Hence the easiest way to upgrade right now is just to cvsup a recent version of stable and make world in the usual fashion. It turns out that the only version of FreeBSD that ever contained a vulnerable OpenSSH in the base system was 5-CURRENT, as per the recent security advisement: FreeBSD-SA-02:31.openssh.asc (ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02%3A31.openssh.asc) Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Tel: +44 1628 476614 Marlow Fax: +44 0870 0522645 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020716215418.GA37671>