Fw: Re: OpenSSL/0.9.7c-p1 & OpenSSH_3.5p1

Joshua Lokken joshua at twobirds.us
Thu Apr 22 22:50:13 PDT 2004

From: Matthew Seaman <m.seaman at infracaninophile.co.uk>
Date: Thu, 22 Apr 2004 12:31:24 +0100
To: Pelle Andersson <pelle at spd.nu>
Cc: freebsd-questions at freebsd.org
Subject: Re: OpenSSL/0.9.7c-p1 & OpenSSH_3.5p1
User-Agent: Mutt/1.5.6i

On Thu, Apr 22, 2004 at 10:27:10AM +0200, Pelle Andersson wrote:
> Hi!
> How can I the easiest way update/upgrade OpenSSL & OpenSSH on a FreeBSD 4.9
> machine?
> I saw on the net that they where part of the "base system" and therefore I
> can't
> use portupgrade or "make deinstall/make reinstall"
> I thought they where updated when running 'make world'?
> Now I am using:
> >> OpenSSL 0.9.7c-p1 30 Sep 2003
> >> OpenSSH_3.5p1 FreeBSD-20030924
> uname -a:
> FreeBSD frodo.domain.xyz 4.9-RELEASE-p5 FreeBSD 4.9-RELEASE-p5 #2: Wed Apr
> 21 10:21:22 CEST 2004
> @frodo.domain.xyz:/usr/obj/usr/src/sys/FIBOPTIMIZED  i386

You're running 4.9-RELEASE.  One of the points about the -RELEASE
branches is that they are guarranteed *not* to have any new
functionality introduced.  Updates are limited to bugfixes, generally
for security bugs only.

Now, you are running the latest patchlevel on the 4.9-RELEASE branch,
which means that all known bugs in OpenSSL and OpenSSH will have been
fixed.  However *only* the bugs have been fixed.  There haven't been
any patches to add features, neither have there been any patches to
modify version numbers.  Naive security scanners that *just* look at
the version numbers of installed packages will tell you incorrectly
that you have a problem.

If you want the newer versions of those packages, then you have two
choices.  You can install them from ports, or you can upgrade to and
track a different FreeBSD source branch.

If you install from ports, there is a facility for you to install the
port in such a way as to overwrite the equivalents in the base system.
You can certainly do this if you want, but think carefully before
doing so.  Overwriting bits of the base system will make it harder for
you to do regular upgrades.

Otherwise, if you choose to upgrade to a different source branch, you
will need to choose one of the development branches in order to get
new versions of stuff -- that either 4-STABLE or 5-CURRENT.  But
5-CURRENT is not really suitable for any use other than developing the
system. 4-STABLE is quite close to winding down, and it's not planned
to import the very latest versions of OpenSSH etc: the upcoming
4.10-RELEASE will probably be the last release branched from there,
and that will have OpenSSH 3.5p1.  Other packages may well get updates
though.  5-STABLE is planned coincident with 5.3-RELEASE, which is the
next release planned to happen after 4.10.



Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

----- End forwarded message -----

More information about the freebsd-questions mailing list