Re: FreeBSD Errata Notice FreeBSD-EN-23:09.freebsd-update [REVISED]
- In reply to: Peter Libassi : "Re: FreeBSD Errata Notice FreeBSD-EN-23:09.freebsd-update [REVISED]"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 04 Oct 2023 11:21:50 UTC
On Wed, 4 Oct 2023 06:45:40 +0200 Peter Libassi <peter@libassi.se> wrote: > Me too! My sshd_config is also customized and everytime there is a new patch I need to run freebsd-update manually and get rid of the attempt to trash the sshd config that could make my server unreachable over the network. > > Why does the freebsd-update need a vanilla sshd_config? > Why not give a message and put the new freebsd vanillia sshd_config file in /etc/ssh/sshd_config-new_version? > Does this behaviour mean that the /etc/ssh/sshd_config is uncustomizable? and if you need custom sshd configuration you should use the port provided openssh-portable? > > > > > > 4 okt. 2023 kl. 04:13 skrev monochrome <monochrome@twcny.rr.com>: > > > > not sure if this is related or appropriate here, but for the last 2 or 3 updates freebsd-update has been hanging on this: > > > > The following files are affected by updates. No changes have > > been downloaded, however, because the files have been modified > > locally: > > /etc/ssh/sshd_config > > > > > > > > a minor annoyance, but is this the new normal?<ecRV9YIelkR0MQGe.png> this file will obviously be changed on most systems, why do I seem like the only one with this problem? > > > > <cDK2pd07H0DkdvFY.png> > > > > as of today its still doing it: FreeBSD quartzon 13.2-RELEASE-p4 FreeBSD 13.2-RELEASE-p4 GENERIC amd64 > > > > > > On 10/3/23 19:03, FreeBSD Errata Notices wrote: > >> ============================================================================= > >> FreeBSD-EN-23:09.freebsd-update Errata Notice > >> The FreeBSD Project > >> > >> Topic: freebsd-update incorrectly merges files on upgrade > >> > >> Category: core > >> Module: freebsd-update > >> Announced: 2023-09-06 > >> Affects: FreeBSD 13.2 > >> Corrected: 2023-05-16 21:34:10 UTC (stable/13, 13.2-STABLE) > >> 2023-09-06 16:56:24 UTC (releng/13.2, 13.2-RELEASE-p3) > >> 2023-09-28 13:42:18 UTC (stable/12, 12.4-STABLE) > >> 2023-10-03 22:15:35 UTC (releng/12.4, 12.4-RELEASE-p6) > >> > >> For general information regarding FreeBSD Errata Notices and Security > >> Advisories, including descriptions of the fields above, security > >> branches, and the following sections, please visit > >> <URL:https://security.FreeBSD.org/> <https://security.freebsd.org/>. > >> > >> 2023-09-06 Initial Revision > >> 2023-10-03 Updated to include the patch for 12.4-RELEASE. > >> > >> I. Background > >> > >> freebsd-update provides binary updates for supported releases of FreeBSD on > >> amd64, arm64, and i386. > >> > >> II. Problem Description > >> > >> freebsd-update incorrectly deleted files in /etc/ in the event the file to be > >> updated matched the new release and was different than the old release. This > >> has not been an issue previously because the $FreeBSD$ tag expansion from > >> subversion virtually guaranteed the existing file was going to be different > >> from the new release. With the conversion to git in the 13.x releases, > >> $FreeBSD$ is no longer expanded, making it much more likely that a file would > >> find this issue. > >> > >> III. Impact > >> > >> Unmodified files in /etc/ may be deleted on running freebsd-update upgrade. > >> > >> IV. Workaround > >> > >> No workaround is available. > >> > >> V. Solution > >> > >> Upgrade your system to a supported FreeBSD stable or release / security > >> branch (releng) dated after the correction date. > >> > >> Perform one of the following: > >> > >> 1) To update your system via a binary patch: > >> > >> Systems running a RELEASE version of FreeBSD on the amd64, i386, or > >> (on FreeBSD 13 and later) arm64 platforms can be updated via the > >> freebsd-update(8) utility: > >> > >> # freebsd-update fetch > >> # freebsd-update install > >> > >> 2) To update your system via a source code patch: > >> > >> The following patches have been verified to apply to the applicable > >> FreeBSD release branches. > >> > >> a) Download the relevant patch from the location below, and verify the > >> detached PGP signature using your PGP utility. > >> > >> # fetch https://security.FreeBSD.org/patches/EN-23:09/freebsd-update.patch <https://security.freebsd.org/patches/EN-23:09/freebsd-update.patch> > >> # fetch https://security.FreeBSD.org/patches/EN-23:09/freebsd-update.patch.asc <https://security.freebsd.org/patches/EN-23:09/freebsd-update.patch.asc> > >> # gpg --verify freebsd-update.patch.asc > >> > >> b) Apply the patch. Execute the following commands as root: > >> > >> # cd /usr/src > >> # patch < /path/to/patch > >> > >> c) Recompile the operating system using buildworld and installworld as > >> described in <URL:https://www.FreeBSD.org/handbook/makeworld.html> <https://www.freebsd.org/handbook/makeworld.html>. > >> > >> VI. Correction details > >> > >> This issue is corrected by the corresponding Git commit hash or Subversion > >> revision number in the following stable and release branches: > >> > >> Branch/path Hash Revision > >> ------------------------------------------------------------------------- > >> stable/13/ 866e5c6b3ce7 stable/13-n255386 > >> releng/13.2/ 0b39d9de2e71 releng/13.2-n254628 > >> stable/12/ r373221 > >> releng/12.4/ r373231 > >> ------------------------------------------------------------------------- > >> > >> For FreeBSD 13 and later: > >> > >> Run the following command to see which files were modified by a > >> particular commit: > >> > >> # git show --stat <commit hash> > >> > >> Or visit the following URL, replacing NNNNNN with the hash: > >> > >> <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> <https://cgit.freebsd.org/src/commit/?id=NNNNNN> > >> > >> To determine the commit count in a working tree (for comparison against > >> nNNNNNN in the table above), run: > >> > >> # git rev-list --count --first-parent HEAD > >> > >> For FreeBSD 12 and earlier: > >> > >> Run the following command to see which files were modified by a particular > >> revision, replacing NNNNNN with the revision number: > >> > >> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base > >> > >> Or visit the following URL, replacing NNNNNN with the revision number: > >> > >> <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> <https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> > >> > >> VII. References > >> > >> <URL:https://reviews.freebsd.org/D39973> <https://reviews.freebsd.org/D39973> > >> > >> The latest revision of this advisory is available at > >> <URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-23:09.freebsd-update.asc> <https://security.freebsd.org/advisories/FreeBSD-EN-23:09.freebsd-update.asc> Hi. sshd has option to specify "-f config_file" option to override default /etc/ssh/sshd_config. See `man sshd` for details. And in /etc/defaults/rc.conf, 3 lines (wrapped to 4 lines here) as below exists. sshd_enable="NO" # Enable sshd sshd_program="/usr/sbin/sshd" # path to sshd, if you want a different one. sshd_flags="" # Additional flags for sshd. You should already set at least 'sshd_enable="YES"' in your /etc/rc.conf or /etc/rc.conf.local, if you are running sshd on your system. Why not create customised sshd_config with other name or other place and override default with sshd_flags, keeping vanilla one intact, for example, copy /etc/ssh/sshd_config to /etc/ssh/sshd_config_local, edit to fit your needs, and specify sshd_flags="-f /etc/ssh/sshd_config_local" in your /etc/rc.conf[.]ocal]? Keep in mind tracking any changes to vanilla one for additins/changes/deletions of functuonality and edit yours when needed. -- Tomoaki AOKI <junchoon@dec.sakura.ne.jp>