[Bug 261755] FreeBSD 13.0 ships with 2018's OpenSSH 7.9
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 261755] FreeBSD 13.0 ships with 2018's OpenSSH 7.9"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 261755] FreeBSD 13.0 ships with 2018's OpenSSH 7.9"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 261755] FreeBSD 13.0 ships with 2018's OpenSSH 7.9"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 261755] FreeBSD 13.0 ships with 2018's OpenSSH 7.9"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 261755] FreeBSD 13.0 ships with 2018's OpenSSH 7.9"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 261755] FreeBSD 13.0 ships with 2018's OpenSSH 7.9"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 261755] FreeBSD 13.0 ships with 2018's OpenSSH 7.9"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 261755] OpenSSH: Merge 8.8 to stable/13: 7.9 does not work with hardware (Yubico) security keys"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 06 Feb 2022 19:59:27 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=261755
Bug ID: 261755
Summary: FreeBSD 13.0 ships with 2018's OpenSSH 7.9
Product: Base System
Version: 13.0-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: bin
Assignee: bugs@FreeBSD.org
Reporter: iandstanley@gmail.com
On a recent install of FreeBSD 13.0 RELEASE (and updated with freebsd-update) I
was having issues with my Yubico security key and ssh when I noticed that the
version of SSH shipped with 13.0 is version 7.9 (2018 vintage)
$ ssh -V
OpenSSh_7.9p1, OpenSSL 1.1.1k-freebsd 24 Aug 2021
$ which ssh
/usr/bin/ssh
Version 7.9 was released in 2018 and I was shocked that all we did was just
recompile a 3 year old version of a commonly used security tool that has had a
series of security fixes since and was out of date in April 2019. Version 7.9
has at least 10 CVEs attributed to it that have been fixed in the 8.8 version
found in ports.
But we all assume that when a new release appears critical tools get updated to
at least the current version at the time of fixing the release branch.
This missed update ought to have appeared in 2020 in 11.4 or at least in 12.0,
not unresolved in v13.0 in 2022.
If I hadn't been trying to use a new feature of Openssh 8.2 I wouldn't have
noticed that I was using a version 3 years out of date.
BACKGROUND
I had been trying to run ssh-add -K to add the resident key form the yubikey
After I realized that it was a old version I installed the openssh-portable
version 8.8 from the repository
$ /usr/local/bin/ssh -V
OpenSSh_8.8p1, OpenSSL 1.1.1k-freebsd 24 Aug 2021
Compared with:
$ /usr/bin/ssh -V
OpenSSh_7.9p1, OpenSSL 1.1.1k-freebsd 24 Aug 2021
I was surprised that the latest release had not upgraded a critical security
tool to at least 8.2 (or later) which was released TWO YEARS ago particularly
seeing that there are at 10 vulnerabilities between the version in /usr/bin/ssh
and openssh-portable.
It would also mean that I would not need to patch a bunch of scripts and setup
aliases.
VULNERABILITIES:
https://www.cvedetails.com/vulnerability-list/vendor_id-97/product_id-585/Openbsd-Openssh.html
--
You are receiving this mail because:
You are the assignee for the bug.