Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 16 Jul 2002 22:54:18 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        Warner Joseph <Joseph.Warner@siemens.com>
Cc:        "'Joshua Lee'" <yid@softhome.net>, freebsd-questions@FreeBSD.ORG
Subject:   Re: Upgrading SSH
Message-ID:  <20020716215418.GA37671@happy-idiot-talk.infracaninophi>
In-Reply-To: <F59D56D98019A24391D6396DD708C8210C5AF3@MLVV9MBE.usmlvv1p0a.smshsc.net>
References:  <F59D56D98019A24391D6396DD708C8210C5AF3@MLVV9MBE.usmlvv1p0a.smshsc.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Jul 16, 2002 at 04:44:35PM -0400, Warner Joseph wrote:

> I'm familiar with this and run 'make world' often
> in order to stay up to date.  However, it's my
> understanding that Openssh-3.4 wasn't included
> with the base install, meaning that simply running
> cvsup and doing a 'make world' would still leave you
> with the vulnerable version.  Is this incorrect?

The ssh bundled with 4-STABLE and the security branches never was
vulnerable to the recent OpenSSH compromise.  More by luck than
judgement --- 4-STABLE was using a version based on OpenSSH 2.9 until
recently, and that preceeded the incorporation of the block of code
where the bug manifested itself.

As a result of the hype surrounding the announcement of the OpenSSH
bug, when it wasn't at all clear exactly what older versions were
affected, the decision was taken to upgrade to the latest portable
OpenSSH 4.3p1 in 4-STABLE.  Hence the easiest way to upgrade right now
is just to cvsup a recent version of stable and make world in the
usual fashion.

It turns out that the only version of FreeBSD that ever contained a
vulnerable OpenSSH in the base system was 5-CURRENT, as per the recent
security advisement: FreeBSD-SA-02:31.openssh.asc
(ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02%3A31.openssh.asc)

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
Tel: +44 1628 476614                                  Marlow
Fax: +44 0870 0522645                                 Bucks., SL7 1TH UK

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020716215418.GA37671>