Close OpenSSH hole on 13.1-RELEASE server without shutting down?

Reply: Dan Mahoney : "Re: Close OpenSSH hole on 13.1-RELEASE server without shutting down?"
Reply: Andrea Venturoli : "Close OpenSSH hole on a supported server without shutting down?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Brett Glass <brett_at_lariat.net>
Date: Wed, 03 Jul 2024 00:50:44 UTC

Hello!

We have a server running FreeBSD 13.1-RELEASE (curent patch level: 
p5) in a remote location. It's running well, and uses a custom 
statically linked kernel with no loadable modules to conserve 
memory and allow better security.

We just found out about the latest OpenSSH bug, and want to patch. 
Unfortunately, the freebsd-update utility isn't updating it, 
because it is JUST ONE POINT VERSION beyond the earliest one for 
which the Security Team has provided updates. And we can't shut the 
server down to do a major upgrade right now. (Upgrades to systems 
using custom kernels are especially dicey and frequently result in 
lockouts, which in this case would not only interrupt important 
activities but require a 50 mile drive.)

Any ideas as to how to JUST upgrade OpenSSH? I've looked at 
installing the openssh-portable binary package, but when I start 
the process by doing a "pkg update" I get a warning message 
indicating OS mismatches for lots of packages. The error messages 
all include the line

To ignore this error set IGNORE_OSVERSION=yes

(which I assume means to start sh, set that environment variable in 
the shell, and then run the command). Is this safe?

--Brett Glass