From nobody Wed Jul 03 01:03:28 2024 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WDM3n5nHVz5PtNn for ; Wed, 03 Jul 2024 01:03:49 +0000 (UTC) (envelope-from freebsd@gushi.org) Received: from prime.gushi.org (prime.gushi.org [IPv6:2620:137:6000:10::142]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "prime.gushi.org", Issuer "RapidSSL TLS RSA CA G1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WDM3n3Bq7z4PXH for ; Wed, 3 Jul 2024 01:03:49 +0000 (UTC) (envelope-from freebsd@gushi.org) Authentication-Results: mx1.freebsd.org; none Received: from smtpclient.apple ([IPv6:2601:602:87f:b05d:f97a:db76:6dbe:17a2]) (authenticated bits=0) by prime.gushi.org (8.17.2/8.17.2) with ESMTPSA id 46313hRN002317 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 3 Jul 2024 01:03:44 GMT (envelope-from freebsd@gushi.org) DKIM-Filter: OpenDKIM Filter v2.10.3 prime.gushi.org 46313hRN002317 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gushi.org; s=prime2014; t=1719968624; bh=pe6fbMbW5R5BrBaFjpadl/RnAtU+UKnZHwZV4FrczTE=; h=Subject:From:In-Reply-To:Date:Cc:References:To; z=Subject:=20Re:=20Close=20OpenSSH=20hole=20on=2013.1-RELEASE=20ser ver=20without=20shutting=20down?|From:=20Dan=20Mahoney=20|In-Reply-To:=20<202407030050.SAA06884@mail.lariat.net>| Date:=20Tue,=202=20Jul=202024=2018:03:28=20-0700|Cc:=20questions@f reebsd.org|References:=20<202407030050.SAA06884@mail.lariat.net>|T o:=20Brett=20Glass=20; b=YDmQKdD+FXsH+PQ2FmQUjsuUZSFI+ZDpbHXR/mPDqw/cH+u3VX4a7lEp4tsUUyx1q 4Ty5e6yhojiYAoPOrICU2V/6oNYrXWo//GRbwNLit+JmTrzOIs2x9JpG7u49EEWTzN Z1ZarHljOsUGlXzdO1eDnoKfa0mUo75/zuLwN1Dycl6x67R73Z+k14tRwNQeqwUE/T 37vvN6LBsBUOPftTgOzUgXK6lliOBOCBa5emLc74vsDqRnjGkuiHF4qlOWQyYB8yZu EiwHWg6FUzhucOO0s3/bmVJLNuaC2HXuDm0HLrFAOf3U7SdYMZROK09YqQfaAGO6// nZe2jk5Zg3VJQ== X-Authentication-Warning: prime.gushi.org: Host [IPv6:2601:602:87f:b05d:f97a:db76:6dbe:17a2] claimed to be smtpclient.apple Content-Type: text/plain; charset=us-ascii List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.600.62\)) Subject: Re: Close OpenSSH hole on 13.1-RELEASE server without shutting down? From: Dan Mahoney In-Reply-To: <202407030050.SAA06884@mail.lariat.net> Date: Tue, 2 Jul 2024 18:03:28 -0700 Cc: questions@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <202407030050.SAA06884@mail.lariat.net> To: Brett Glass X-Mailer: Apple Mail (2.3774.600.62) X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:393507, ipnet:2620:137:6000::/44, country:US] X-Rspamd-Queue-Id: 4WDM3n3Bq7z4PXH > On Jul 2, 2024, at 17:50, Brett Glass wrote: >=20 > Hello! >=20 > We have a server running FreeBSD 13.1-RELEASE (curent patch level: p5) = in a remote location. It's running well, and uses a custom statically = linked kernel with no loadable modules to conserve memory and allow = better security. >=20 > We just found out about the latest OpenSSH bug, and want to patch. = Unfortunately, the freebsd-update utility isn't updating it, because it = is JUST ONE POINT VERSION beyond the earliest one for which the Security = Team has provided updates. And we can't shut the server down to do a = major upgrade right now. (Upgrades to systems using custom kernels are = especially dicey and frequently result in lockouts, which in this case = would not only interrupt important activities but require a 50 mile = drive.) >=20 > Any ideas as to how to JUST upgrade OpenSSH? I've looked at installing = the openssh-portable binary package, but when I start the process by = doing a "pkg update" I get a warning message indicating OS mismatches = for lots of packages. The error messages all include the line >=20 > To ignore this error set IGNORE_OSVERSION=3Dyes >=20 > (which I assume means to start sh, set that environment variable in = the shell, and then run the command). Is this safe? There is a workaround posted in the security advisory. You can also = firewall off ssh connections from anywhere but trusted sources. Note = that if you're still on 13.1 there are other security advisories to be = aware of beyond the ssh one. (Albeit none quite so egregious). -Dan