From nobody Wed Oct 04 11:21:50 2023 X-Original-To: stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S0sj84t3Nz4vkBf for ; Wed, 4 Oct 2023 11:22:04 +0000 (UTC) (envelope-from junchoon@dec.sakura.ne.jp) Received: from www121.sakura.ne.jp (www121.sakura.ne.jp [153.125.133.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4S0sj645vbz4Z03 for ; Wed, 4 Oct 2023 11:22:01 +0000 (UTC) (envelope-from junchoon@dec.sakura.ne.jp) Authentication-Results: mx1.freebsd.org; dkim=none; spf=none (mx1.freebsd.org: domain of junchoon@dec.sakura.ne.jp has no SPF policy when checking 153.125.133.21) smtp.mailfrom=junchoon@dec.sakura.ne.jp; dmarc=none Received: from kalamity.joker.local (123-1-80-101.area1b.commufa.jp [123.1.80.101]) (authenticated bits=0) by www121.sakura.ne.jp (8.16.1/8.16.1/[SAKURA-WEB]/20201212) with ESMTPA id 394BLpPG053986 for ; Wed, 4 Oct 2023 20:21:52 +0900 (JST) (envelope-from junchoon@dec.sakura.ne.jp) Date: Wed, 4 Oct 2023 20:21:50 +0900 From: Tomoaki AOKI To: stable@freebsd.org Subject: Re: FreeBSD Errata Notice FreeBSD-EN-23:09.freebsd-update [REVISED] Message-Id: <20231004202150.80e96f3ad877c03fec3d33ee@dec.sakura.ne.jp> In-Reply-To: References: <20231003230335.0B92113333@freefall.freebsd.org> Organization: Junchoon corps X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.0) List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spamd-Bar: - X-Spamd-Result: default: False [-1.50 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; AUTH_NA(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.998]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; ONCE_RECEIVED(0.10)[]; ASN(0.00)[asn:7684, ipnet:153.125.128.0/18, country:JP]; RCVD_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MLMMJ_DEST(0.00)[stable@freebsd.org]; R_DKIM_NA(0.00)[]; HAS_ORG_HEADER(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; R_SPF_NA(0.00)[no SPF record]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; DMARC_NA(0.00)[sakura.ne.jp]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[stable@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; RCVD_VIA_SMTP_AUTH(0.00)[] X-Rspamd-Queue-Id: 4S0sj645vbz4Z03 On Wed, 4 Oct 2023 06:45:40 +0200 Peter Libassi wrote: > Me too! My sshd_config is also customized and everytime there is a new patch I need to run freebsd-update manually and get rid of the attempt to trash the sshd config that could make my server unreachable over the network. > > Why does the freebsd-update need a vanilla sshd_config? > Why not give a message and put the new freebsd vanillia sshd_config file in /etc/ssh/sshd_config-new_version? > Does this behaviour mean that the /etc/ssh/sshd_config is uncustomizable? and if you need custom sshd configuration you should use the port provided openssh-portable? > > > > > > 4 okt. 2023 kl. 04:13 skrev monochrome : > > > > not sure if this is related or appropriate here, but for the last 2 or 3 updates freebsd-update has been hanging on this: > > > > The following files are affected by updates. No changes have > > been downloaded, however, because the files have been modified > > locally: > > /etc/ssh/sshd_config > > > > > > > > a minor annoyance, but is this the new normal? this file will obviously be changed on most systems, why do I seem like the only one with this problem? > > > > > > > > as of today its still doing it: FreeBSD quartzon 13.2-RELEASE-p4 FreeBSD 13.2-RELEASE-p4 GENERIC amd64 > > > > > > On 10/3/23 19:03, FreeBSD Errata Notices wrote: > >> ============================================================================= > >> FreeBSD-EN-23:09.freebsd-update Errata Notice > >> The FreeBSD Project > >> > >> Topic: freebsd-update incorrectly merges files on upgrade > >> > >> Category: core > >> Module: freebsd-update > >> Announced: 2023-09-06 > >> Affects: FreeBSD 13.2 > >> Corrected: 2023-05-16 21:34:10 UTC (stable/13, 13.2-STABLE) > >> 2023-09-06 16:56:24 UTC (releng/13.2, 13.2-RELEASE-p3) > >> 2023-09-28 13:42:18 UTC (stable/12, 12.4-STABLE) > >> 2023-10-03 22:15:35 UTC (releng/12.4, 12.4-RELEASE-p6) > >> > >> For general information regarding FreeBSD Errata Notices and Security > >> Advisories, including descriptions of the fields above, security > >> branches, and the following sections, please visit > >> . > >> > >> 2023-09-06 Initial Revision > >> 2023-10-03 Updated to include the patch for 12.4-RELEASE. > >> > >> I. Background > >> > >> freebsd-update provides binary updates for supported releases of FreeBSD on > >> amd64, arm64, and i386. > >> > >> II. Problem Description > >> > >> freebsd-update incorrectly deleted files in /etc/ in the event the file to be > >> updated matched the new release and was different than the old release. This > >> has not been an issue previously because the $FreeBSD$ tag expansion from > >> subversion virtually guaranteed the existing file was going to be different > >> from the new release. With the conversion to git in the 13.x releases, > >> $FreeBSD$ is no longer expanded, making it much more likely that a file would > >> find this issue. > >> > >> III. Impact > >> > >> Unmodified files in /etc/ may be deleted on running freebsd-update upgrade. > >> > >> IV. Workaround > >> > >> No workaround is available. > >> > >> V. Solution > >> > >> Upgrade your system to a supported FreeBSD stable or release / security > >> branch (releng) dated after the correction date. > >> > >> Perform one of the following: > >> > >> 1) To update your system via a binary patch: > >> > >> Systems running a RELEASE version of FreeBSD on the amd64, i386, or > >> (on FreeBSD 13 and later) arm64 platforms can be updated via the > >> freebsd-update(8) utility: > >> > >> # freebsd-update fetch > >> # freebsd-update install > >> > >> 2) To update your system via a source code patch: > >> > >> The following patches have been verified to apply to the applicable > >> FreeBSD release branches. > >> > >> a) Download the relevant patch from the location below, and verify the > >> detached PGP signature using your PGP utility. > >> > >> # fetch https://security.FreeBSD.org/patches/EN-23:09/freebsd-update.patch > >> # fetch https://security.FreeBSD.org/patches/EN-23:09/freebsd-update.patch.asc > >> # gpg --verify freebsd-update.patch.asc > >> > >> b) Apply the patch. Execute the following commands as root: > >> > >> # cd /usr/src > >> # patch < /path/to/patch > >> > >> c) Recompile the operating system using buildworld and installworld as > >> described in . > >> > >> VI. Correction details > >> > >> This issue is corrected by the corresponding Git commit hash or Subversion > >> revision number in the following stable and release branches: > >> > >> Branch/path Hash Revision > >> ------------------------------------------------------------------------- > >> stable/13/ 866e5c6b3ce7 stable/13-n255386 > >> releng/13.2/ 0b39d9de2e71 releng/13.2-n254628 > >> stable/12/ r373221 > >> releng/12.4/ r373231 > >> ------------------------------------------------------------------------- > >> > >> For FreeBSD 13 and later: > >> > >> Run the following command to see which files were modified by a > >> particular commit: > >> > >> # git show --stat > >> > >> Or visit the following URL, replacing NNNNNN with the hash: > >> > >> > >> > >> To determine the commit count in a working tree (for comparison against > >> nNNNNNN in the table above), run: > >> > >> # git rev-list --count --first-parent HEAD > >> > >> For FreeBSD 12 and earlier: > >> > >> Run the following command to see which files were modified by a particular > >> revision, replacing NNNNNN with the revision number: > >> > >> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base > >> > >> Or visit the following URL, replacing NNNNNN with the revision number: > >> > >> > >> > >> VII. References > >> > >> > >> > >> The latest revision of this advisory is available at > >> Hi. sshd has option to specify "-f config_file" option to override default /etc/ssh/sshd_config. See `man sshd` for details. And in /etc/defaults/rc.conf, 3 lines (wrapped to 4 lines here) as below exists. sshd_enable="NO" # Enable sshd sshd_program="/usr/sbin/sshd" # path to sshd, if you want a different one. sshd_flags="" # Additional flags for sshd. You should already set at least 'sshd_enable="YES"' in your /etc/rc.conf or /etc/rc.conf.local, if you are running sshd on your system. Why not create customised sshd_config with other name or other place and override default with sshd_flags, keeping vanilla one intact, for example, copy /etc/ssh/sshd_config to /etc/ssh/sshd_config_local, edit to fit your needs, and specify sshd_flags="-f /etc/ssh/sshd_config_local" in your /etc/rc.conf[.]ocal]? Keep in mind tracking any changes to vanilla one for additins/changes/deletions of functuonality and edit yours when needed. -- Tomoaki AOKI