[Bug 261755] FreeBSD 13.0 ships with 2018's OpenSSH 7.9

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 06 Feb 2022 19:59:27 UTC

            Bug ID: 261755
           Summary: FreeBSD 13.0 ships with 2018's OpenSSH 7.9
           Product: Base System
           Version: 13.0-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: iandstanley@gmail.com

On a recent install of FreeBSD 13.0 RELEASE (and updated with freebsd-update) I
was having issues with my Yubico security key and ssh when I noticed that the
version of SSH shipped with 13.0 is version 7.9 (2018 vintage)

$ ssh -V 
OpenSSh_7.9p1, OpenSSL 1.1.1k-freebsd 24 Aug 2021

$ which ssh

Version 7.9 was released in 2018 and I was shocked that all we did was just
recompile a 3 year old version of a commonly used security tool that has had a
series of security fixes since and was out of date in April 2019. Version 7.9
has at least 10 CVEs attributed to it that have been fixed in the 8.8 version
found in ports.

But we all assume that when a new release appears critical tools get updated to
at least the current version at the time of fixing the release branch.

This missed update ought to have appeared in 2020 in 11.4 or at least in 12.0,
not unresolved in v13.0 in 2022. 

If I hadn't been trying to use a new feature of Openssh 8.2 I wouldn't have
noticed that I was using a version 3 years out of date. 

I had been trying to run ssh-add -K to add the resident key form the yubikey

After I realized that it was a old version I installed the openssh-portable
version 8.8 from the repository

$ /usr/local/bin/ssh -V 
OpenSSh_8.8p1, OpenSSL 1.1.1k-freebsd 24 Aug 2021

Compared with:

$ /usr/bin/ssh -V 
OpenSSh_7.9p1, OpenSSL 1.1.1k-freebsd 24 Aug 2021

I was surprised that the latest release had not upgraded a critical security
tool to at least 8.2 (or later) which was released TWO YEARS ago particularly
seeing that there are at 10 vulnerabilities between the version in /usr/bin/ssh
and openssh-portable. 

It would also mean that I would not need to patch a bunch of scripts and setup



You are receiving this mail because:
You are the assignee for the bug.