updating system version of OpenSSH

[David Newman]

What is the procedure for patching/updating system
version of OpenSSH on an FBSD 5.2.1 box?

I used the excellent Rootkit Hunter security
assessment tool:

[url]http://www.rootkit.nl/projects/rootkit_hunter.html[/url]

and it found that I'm running OpenSSH 3.6.1p1, which
has at least one vulnerability.

I only know how to install/upgrade from ports. OpenSSH
is part of the ports collection, but the build I'm
running was included with the OS.

What's the right way to proceed here?

thanks

/wsbs





__________________________________
Do you Yahoo!?
Yahoo! Mail - Easier than ever with enhanced search. Learn more.
[url]http://info.mail.yahoo.com/mail_250[/url]

[Phil Schulz]

On 02/25/05 20:55, David Newman wrote:

> What is the procedure for patching/updating system
> version of OpenSSH on an FBSD 5.2.1 box?
>

If you can't afford to upgrade the base OS and you do not want to
install OpenSSH from the ports, then you'll need to specify what
vulnerability you are talking about.

I checked the FreeBSD security advisories which *could* apply to your
problem and it seems that FreeBSD-SA-04:05.openssl is the one you might
be talking about. A patch is included with the advisory along with
instructions on how to apply the patch and fix the issue.

[url]ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:05.openssl.asc[/url]

Regards,

Phil.

> I used the excellent Rootkit Hunter security
> assessment tool:
>
> [url]http://www.rootkit.nl/projects/rootkit_hunter.html[/url]
>
> and it found that I'm running OpenSSH 3.6.1p1, which
> has at least one vulnerability.
>
> I only know how to install/upgrade from ports. OpenSSH
> is part of the ports collection, but the build I'm
> running was included with the OS.
>
> What's the right way to proceed here?
>
> thanks
>
> /wsbs
>

[greg@grokking.org]

David Newman wrote:

> What is the procedure for patching/updating system
> version of OpenSSH on an FBSD 5.2.1 box?
>
> I used the excellent Rootkit Hunter security
> assessment tool:
>
> [url]http://www.rootkit.nl/projects/rootkit_hunter.html[/url]
>
> and it found that I'm running OpenSSH 3.6.1p1, which
> has at least one vulnerability.
>
> I only know how to install/upgrade from ports. OpenSSH
> is part of the ports collection, but the build I'm
> running was included with the OS.
>
> What's the right way to proceed here?
>
> thanks
>

Someone please correct me if I'm wrong on this but I believe rkhunter is
just checking the version 3.6.1 and doesn't account for the 'p1' part
which refers to a FBSD patch that corrected the vulnerability rkhunter
is referring to.

IOW, I don't think you need to update ssh on 5.2.1 if your motive is
merely that rkhunter flagged it.

To be sure, check the older security advisories at freebsd.org and I bet
you'll find a reference to it.

G

[wo_shi_big_stomach]

Phil Schulz wrote:

> If you can't afford to upgrade the base OS and you

do not want to

> install OpenSSH from the ports

Sorry, I wasn't clear. I have no problem installing or
upgrading OpenSSH from ports. Indeed, that's all I
know how to do.

My question is how to upgrade OpenSSH as included with
5.2.1. If a ports install will do this, great.

The more general question is how to upgrade system
software, especially in cases where it's not included
in the ports collection.


--- "greg@grokking.org" <greg@grokking.org> wrote:

> Someone please correct me if I'm wrong on this but I
> believe rkhunter is
> just checking the version 3.6.1 and doesn't account
> for the 'p1' part
> which refers to a FBSD patch that corrected the
> vulnerability rkhunter
> is referring to.
>
> IOW, I don't think you need to update ssh on 5.2.1
> if your motive is
> merely that rkhunter flagged it.

OK, that's a relief, thanks.

Same question holds, though. If some system software
is actually vulnerable, what's the procedure to update
it?

thanks

/wsbs




__________________________________
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
[url]http://promotions.yahoo.com/new_mail[/url]

[Lowell Gilbert]

wo_shi_big_stomach <wo_shi_big_stomach@yahoo.com> writes:

> Phil Schulz wrote:
>

> > If you can't afford to upgrade the base OS and you do not want to
> > install OpenSSH from the ports

>
> Sorry, I wasn't clear. I have no problem installing or
> upgrading OpenSSH from ports. Indeed, that's all I
> know how to do.

It's generally the best option for people who need to upgrade to the
latest version string, such as for satisfying corporate security
"experts". Beyond that, the only real use of ports upgrades is for
people who insist on staying with older base versions.

> My question is how to upgrade OpenSSH as included with
> 5.2.1. If a ports install will do this, great.

It will.

> The more general question is how to upgrade system
> software, especially in cases where it's not included
> in the ports collection.

There are several answers, but the usual one is to update the entire
base system. FreeBSD is designed to be a complete operating system,
rather than to be updated piecemeal; the advantage is that you don't
have to worry about dependencies between the pieces, but the
disadvantage is that, well, you have to update everything at once.
In the case of people still running 5.2.1, I'd definitely recommend
updating the whole thing -- after all, 5.2.1 wasn't recommended for
production use at the time it was released, and 5.3 was.

Another answer is the FreeBSD-update port (security/freebsd-update),
but it doesn't support custom kernels. If you're updating because of
a security problem that had a security advisory issued for it, then
the advisory will generally include patches and directions for
applying and building them. Doing this for arbitrary sets of code
updates is usually possible, but difficult for anyone who doesn't
have developer-level understanding of source code control.

Good luck.