Updating OpenSSH
Carmel
carmel_ny at hotmail.com
Wed Mar 16 18:24:36 UTC 2011
On Wed, 16 Mar 2011 14:35:09 +0000
Matthew Seaman <m.seaman at infracaninophile.co.uk> articulated:
> On 16/03/2011 13:38, Carmel wrote:
> > I was just wondering about the version of SSH used on FreeBSD.
> >
> > According to the OpenSSH page:
> >
> > OpenSSH 5.8/5.8p1 released February 4, 2011 [contains security fix]
> >
> > Now, according to my system, FreeBSD-8.2, I have this version:
> >
> > OpenSSH_5.4p1 FreeBSD-20100308, OpenSSL 0.9.8q 2 Dec 2010
> >
> > # openssl version
> > OpenSSL 1.0.0d 8 Feb 2011
> >
> > So why is an older version shown? Also, when does the FreeBSD
> > team intend to update the system OpenSSH version?
> >
> > I have the following notation in my /etc/make.conf file:
> >
> > WITH_OPENSSL_PORT=yes
> >
> > Should I have something else also? I have FreeBSD 8.2-STABLE
> > installed.
> >
>
> The version of OpenSSH shipped with any release of the OS is
> exceedingly unlikely to be updated within the lifetime of that
> release. Not unless there was a killer problem, and it turned out
> easier to update the whole shebang rather than just patching the
> problem.
>
> Why wasn't OpenSSH updated in stable/8 before 8.2-RELEASE? Good
> question. I don't actually know. It's quite possible that no one had
> sufficient spare cycles to do the work required, and that the changes
> between 5.4 and 5.8 were not sufficiently compelling for anyone to
> make the time.
OK, then does that mean that the latest version will be used in the
still not released 9 version of FreeBSD?
> As for security vulnerabilities: did you check on the OpenSSH site?
> The vulnerability fixed in 5.8 (information leak in signed SSH keys)
> only applies to versions 5.6 and 5.7 -- that's because the whole
> 'signed key' thing isn't in version 5.4 at all.
No, all I did was check for the current version.
> I can tell you that the FreeBSD Security Team is extremely efficient
> and would have had patches and security advisories out for this
> problem within a matter of hours of the OpenSSH announcement *if it
> had been relevant*.
--
Carmel
carmel_ny at hotmail.com
More information about the freebsd-questions
mailing list