Date: Wed, 16 Mar 2011 14:24:31 -0400 From: Carmel <carmel_ny@hotmail.com> To: FreeBSD <freebsd-questions@freebsd.org> Subject: Re: Updating OpenSSH Message-ID: <BLU0-SMTP1738668F39E502E3BEC6EA293CE0@phx.gbl> In-Reply-To: <4D80CA9D.9010506@infracaninophile.co.uk> References: <BLU0-SMTP8122271A88031B532DC3DA93CE0@phx.gbl> <4D80CA9D.9010506@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 16 Mar 2011 14:35:09 +0000 Matthew Seaman <m.seaman@infracaninophile.co.uk> articulated: > On 16/03/2011 13:38, Carmel wrote: > > I was just wondering about the version of SSH used on FreeBSD. > > > > According to the OpenSSH page: > > > > OpenSSH 5.8/5.8p1 released February 4, 2011 [contains security fix] > > > > Now, according to my system, FreeBSD-8.2, I have this version: > > > > OpenSSH_5.4p1 FreeBSD-20100308, OpenSSL 0.9.8q 2 Dec 2010 > > > > # openssl version > > OpenSSL 1.0.0d 8 Feb 2011 > > > > So why is an older version shown? Also, when does the FreeBSD > > team intend to update the system OpenSSH version? > > > > I have the following notation in my /etc/make.conf file: > > > > WITH_OPENSSL_PORT=yes > > > > Should I have something else also? I have FreeBSD 8.2-STABLE > > installed. > > > > The version of OpenSSH shipped with any release of the OS is > exceedingly unlikely to be updated within the lifetime of that > release. Not unless there was a killer problem, and it turned out > easier to update the whole shebang rather than just patching the > problem. > > Why wasn't OpenSSH updated in stable/8 before 8.2-RELEASE? Good > question. I don't actually know. It's quite possible that no one had > sufficient spare cycles to do the work required, and that the changes > between 5.4 and 5.8 were not sufficiently compelling for anyone to > make the time. OK, then does that mean that the latest version will be used in the still not released 9 version of FreeBSD? > As for security vulnerabilities: did you check on the OpenSSH site? > The vulnerability fixed in 5.8 (information leak in signed SSH keys) > only applies to versions 5.6 and 5.7 -- that's because the whole > 'signed key' thing isn't in version 5.4 at all. No, all I did was check for the current version. > I can tell you that the FreeBSD Security Team is extremely efficient > and would have had patches and security advisories out for this > problem within a matter of hours of the OpenSSH announcement *if it > had been relevant*. -- Carmel carmel_ny@hotmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BLU0-SMTP1738668F39E502E3BEC6EA293CE0>