OpenSSH Upgrades

gladiola

gladiola

Much of the time, we would recompile from ports or use pkg to upgrade programs. We use freebsd-update to keep the system patched. What about major and minor version changes for programs like ssh (OpenSSH) which are central to the performance of FreeBSD? How are those updated? When we select a version of FreeBSD to run, are we basically stuck with some programs until we upgrade to a later version? If so, which kinds of programs might be in that situation?
 
OpenSSH comes by default as a 'base'-version in FreeBSD. Therefore it is usable without any other ports installed right after installation. It is located in /usr/bin/. You can also install a ports-version but this usually not necessary unless you have a good reason.
The base-version gets upgraded/updated with the security patches for your FreeBSD version when necessary. If you want to use the ports-version (which would be installed in /usr/local/bin) it would need updates like the other ports.

Also see FreeBSD Handbook:
www.freebsd.org

Chapter 16. Security

Hundreds of standard practices have been authored about how to secure systems and networks, and as a user of FreeBSD, understanding how to protect against attacks and intruders is a must
www.freebsd.org www.freebsd.org
 
The version of OpenSSH in my copy of FreeBSD 12.1 is over 18 months old. I have a host with OpenSSH that shows 7.8 from September 2018. OpenSSH is on 8.1. How far behind do we have to get before it gets updated?

There's no ports maintainer, I suppose, because there's no port. So, who determines this? Is this the type of thing that's decided as a release is built? If so, then when would we see 8.1 or better? In a later release of the OS?
 
OK, I was aware of most of this before I started the thread. I'm just going to install openssh-portable.
 
gladiola said:
OK, I was aware of most of this before I started the thread. I'm just going to install openssh-portable.
Click to expand...
Just noticed this

I've been trying to get my yubico security key working with ssh and despite installing openssh-portable ssh was missing the -K option

After a little poking around I noticed that

$ ssh -V
OpenSSH_7.9p1, OpenSSL 1.1.1k-freebsd 24 Aug 2021

v7.9 is over three years old and has known vulnerabilities

After installing openssh-portable I have

$ /usr/local/bin/ssh -V
OpenSSH_8.8p1, OpenSSL 1.1.1k-freebsd 24 Aug 2021

Now I'm having to use an alias and patch scripts to avoid the old version.

I have raised a bug on base re the 2018 version in /usr/bin/ssh
 
VladiBG said:
Can you provide more info?

Openbsd Openssh version 7.9 : Security vulnerabilities, CVEs

Security vulnerabilities of Openbsd Openssh version 7.9
www.cvedetails.com
Click to expand...

a vulnerability scan run against a FreeBSD 13.0 machine running ssh 7.9p1using nmap with the vulners script reports the following vulnerabilities (most of which seem to be variations on the same cves):

display_nameserviceos_typevulner_found
172.30.88.1 [tcp/22]sshFreeBSD[5.8]: MSF:ILITIES/UBUNTU-CVE-2019-6111/
172.30.88.1 [tcp/22]sshFreeBSD[5.8]: MSF:ILITIES/SUSE-CVE-2019-6111/
172.30.88.1 [tcp/22]sshFreeBSD[5.8]: MSF:ILITIES/SUSE-CVE-2019-25017/
172.30.88.1 [tcp/22]sshFreeBSD[5.8]: MSF:ILITIES/REDHAT_LINUX-CVE-2019-6111/
172.30.88.1 [tcp/22]sshFreeBSD[5.8]: MSF:ILITIES/REDHAT-OPENSHIFT-CVE-2019-6111/
172.30.88.1 [tcp/22]sshFreeBSD[5.8]: MSF:ILITIES/ORACLE-SOLARIS-CVE-2019-6111/
172.30.88.1 [tcp/22]sshFreeBSD[5.8]: MSF:ILITIES/OPENBSD-OPENSSH-CVE-2019-6111/
172.30.88.1 [tcp/22]sshFreeBSD[5.8]: MSF:ILITIES/IBM-AIX-CVE-2019-6111/
172.30.88.1 [tcp/22]sshFreeBSD[5.8]: MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2019-6111/
172.30.88.1 [tcp/22]sshFreeBSD[5.8]: MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2019-6111/
172.30.88.1 [tcp/22]sshFreeBSD[5.8]: MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2019-6111/
172.30.88.1 [tcp/22]sshFreeBSD[5.8]: MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2019-6111/
172.30.88.1 [tcp/22]sshFreeBSD[5.8]: MSF:ILITIES/GENTOO-LINUX-CVE-2019-6111/
172.30.88.1 [tcp/22]sshFreeBSD[5.8]: MSF:ILITIES/F5-BIG-IP-CVE-2019-6111/
172.30.88.1 [tcp/22]sshFreeBSD[5.8]: MSF:ILITIES/DEBIAN-CVE-2019-6111/
172.30.88.1 [tcp/22]sshFreeBSD[5.8]: MSF:ILITIES/CENTOS_LINUX-CVE-2019-6111/
172.30.88.1 [tcp/22]sshFreeBSD[5.8]: MSF:ILITIES/AMAZON_LINUX-CVE-2019-6111/
172.30.88.1 [tcp/22]sshFreeBSD[5.8]: MSF:ILITIES/AMAZON-LINUX-AMI-2-CVE-2019-6111/
172.30.88.1 [tcp/22]sshFreeBSD[5.8]: MSF:ILITIES/ALPINE-LINUX-CVE-2019-6111/
172.30.88.1 [tcp/22]sshFreeBSD[5.8]: EXPLOITPACK:98FE96309F9524B8C84C508837551A19
172.30.88.1 [tcp/22]sshFreeBSD[5.8]: EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97
172.30.88.1 [tcp/22]sshFreeBSD[5.8]: EDB-ID:46516
172.30.88.1 [tcp/22]sshFreeBSD[5.8]: EDB-ID:46193
172.30.88.1 [tcp/22]sshFreeBSD[5.8]: CVE-2019-6111
172.30.88.1 [tcp/22]sshFreeBSD[5.8]: 1337DAY-ID-32328
172.30.88.1 [tcp/22]sshFreeBSD[5.8]: 1337DAY-ID-32009
172.30.88.1 [tcp/22]sshFreeBSD[4.4]: CVE-2021-41617
172.30.88.1 [tcp/22]sshFreeBSD[4.4]: CVE-2019-16905
172.30.88.1 [tcp/22]sshFreeBSD[4.3]: MSF:ILITIES/OPENBSD-OPENSSH-CVE-2020-14145/
172.30.88.1 [tcp/22]sshFreeBSD[4.3]: MSF:ILITIES/HUAWEI-EULEROS-2_0_SP9-CVE-2020-14145/
172.30.88.1 [tcp/22]sshFreeBSD[4.3]: MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2020-14145/
172.30.88.1 [tcp/22]sshFreeBSD[4.3]: MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2020-14145/
172.30.88.1 [tcp/22]sshFreeBSD[4.3]: MSF:ILITIES/F5-BIG-IP-CVE-2020-14145/
172.30.88.1 [tcp/22]sshFreeBSD[4.3]: CVE-2020-14145
172.30.88.1 [tcp/22]sshFreeBSD[4.0]: CVE-2019-6110
172.30.88.1 [tcp/22]sshFreeBSD[4.0]: CVE-2019-6109
172.30.88.1 [tcp/22]sshFreeBSD[2.6]: CVE-2018-20685
172.30.88.1 [tcp/22]sshFreeBSD[0.0]: PACKETSTORM:151227
 
You must log in or register to reply here.
Back
Top