bug found in openssh, upgrade today!

Post everything else here

Moderators: Website/Forum Admins, Other/Off Topic Moderators

seiki

bug found in openssh, upgrade today!

Postby seiki » Wed Sep 17, 2003 8:14 am

Here's a little script to easily upgrade a sshd server on freebsd..
paste it all into a root shell.

enjoy,
-seiki


ps, first ensure that the user 'sshd' exists with no shell, as older versions of freebsd don't have priviledge seperation. If user sshd doesn't exist, add it.

Also, make sure that CheckMail is commented out in /etc/ssh/sshd_config, as it's no longer supported either and will cause your sshd to error if left enabled.

pss, be sure to remove the trailing whitespace this forum seemed to put on each line before pasting into a shell.

<!- script stars here

cat >/tmp/sshsupfile <<EOF
*default host=cvsup11.FreeBSD.org
*default base=/usr
*default prefix=/usr
*default release=cvs
*default tag=RELENG_4
*default delete use-rel-suffix

src-crypto
src-secure
EOF

cvsup /tmp/sshsupfile
cd /usr/src/secure && make clean
cd /usr/src/secure/lib/libssh && make && make install
cd /usr/src/secure/usr.sbin/sshd && make && make install
kill `cat /var/run/sshd.pid`
/usr/sbin/ssh
User avatar
munky
Site Admin
Posts: 826
Joined: Wed Jul 02, 2003 4:54 pm
Location: Phoenix AZ
Contact:

Postby munky » Wed Sep 17, 2003 1:33 pm

from the freebsd SA
[FreeBSD 4.3 through 4.5]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ ... er45.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ ... .patch.asc

[FreeBSD 4.6 and later, FreeBSD 5.0 and later]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ ... er46.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ ... .patch.asc

Execute the following commands as root:

# cd /usr/src
# patch < /path/to/sshd.patch
# cd /usr/src/secure/lib/libssh
# make depend && make all install
# cd /usr/src/secure/usr.sbin/sshd
# make depend && make all install
# cd /usr/src/secure/usr.bin/ssh
# make depend && make all install

Be sure to restart `sshd' after updating.

# kill `cat /var/run/sshd.pid`
# (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags})
but since there was a second patched (3.7.1p1) for openssh released same day, that SA may be outdated already

redhat rpm updates are available
Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPM ... -9.src.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386 ... 9.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386 ... 9.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386 ... 9.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386 ... 9.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386 ... 9.i386.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPM ... 10.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386 ... 0.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386 ... 0.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386 ... 0.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386 ... 0.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386 ... 0.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64 ... 0.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64 ... 0.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64 ... 0.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64 ... 0.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64 ... 0.ia64.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPM ... 10.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386 ... 0.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386 ... 0.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386 ... 0.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386 ... 0.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386 ... 0.i386.rpm

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPM ... -5.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386 ... 5.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386 ... 5.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386 ... 5.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386 ... 5.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386 ... 5.i386.rpm

Red Hat Linux 9:

SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/ ... -9.src.rpm

i386:
ftp://updates.redhat.com/9/en/os/i386/o ... 9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/o ... 9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/o ... 9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/o ... 9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/o ... 9.i386.rpm
(same possible outdated applies)

current openbsd patches are available on http://www.openbsd.org/errata.html or http://www.openssh.org/openbsd.html

those are the only distro's i currently follow, any other directions are up to you to find ;)
In God we trust,
Everyone else must have an X.509 certificate.
User avatar
deww
Posts: 125
Joined: Fri Jul 18, 2003 7:17 pm

Postby deww » Wed Sep 17, 2003 5:56 pm

Nice helpful tips. I had no idea previously how to do the FBSD one properly.
Gentoo users are quite easy:
emerge sync
emerge openssh

Slackware:
These are unofficial packages but they work just as well -
Slackware 9.0 http://www.linuxpackages.net/redirectht ... h-3.7.1p1/
Slackware 8.1
http://www.linuxpackages.net/redirectht ... h-3.7.1p1/
Official packages should be available under the patches directory of the release version.
Use "installpkg openssh-3.7.1p1-i386-1.tgz" to install.
User avatar
munky
Site Admin
Posts: 826
Joined: Wed Jul 02, 2003 4:54 pm
Location: Phoenix AZ
Contact:

Postby munky » Thu Sep 18, 2003 12:16 pm

and to fix the second bug:

freebsd:
[FreeBSD 4.3 and 4.4]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ ... er44.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ ... .patch.asc

[FreeBSD 4.5]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ ... er45.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ ... .patch.asc

[FreeBSD 4.6 and later, FreeBSD 5.0 and later]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ ... er46.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ ... .patch.asc

Execute the following commands as root:

# cd /usr/src
# patch < /path/to/sshd.patch
# cd /usr/src/secure/lib/libssh
# make depend && make all install
# cd /usr/src/secure/usr.sbin/sshd
# make depend && make all install
# cd /usr/src/secure/usr.bin/ssh
# make depend && make all install

Be sure to restart `sshd' after updating.

# kill `cat /var/run/sshd.pid`
# /usr/sbin/sshd

redhat
Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPM ... 13.src.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386 ... 3.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386 ... 3.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386 ... 3.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386 ... 3.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386 ... 3.i386.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPM ... 14.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386 ... 4.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386 ... 4.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386 ... 4.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386 ... 4.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386 ... 4.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64 ... 4.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64 ... 4.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64 ... 4.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64 ... 4.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64 ... 4.ia64.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPM ... 14.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386 ... 4.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386 ... 4.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386 ... 4.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386 ... 4.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386 ... 4.i386.rpm

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPM ... -7.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386 ... 7.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386 ... 7.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386 ... 7.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386 ... 7.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386 ... 7.i386.rpm

Red Hat Linux 9:

SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/ ... 11.src.rpm

i386:
ftp://updates.redhat.com/9/en/os/i386/o ... 1.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/o ... 1.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/o ... 1.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/o ... 1.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/o ... 1.i386.rpm

openbsd:
http://www.openssh.org/openbsd.html or http://www.openbsd.org/errata.html


and while you're at it, make sure you check to be sure your sendmail is fully patched for http://www.securityfocus.com/archive/1/ ... 03-09-21/0
In God we trust,
Everyone else must have an X.509 certificate.
User avatar
clunked
Posts: 31
Joined: Tue Jul 29, 2003 5:14 pm
Location: UK

Postby clunked » Thu Sep 18, 2003 7:15 pm

There are official Slackware packages now. Before it was available, it was simple enough to grab the openssh-3.6.1p2 built script, substitute the source tarball and $VERSION variable inside the script. When this was run it would pop out a working package.

Also, Sendmail was updated to 8.12.10 (security fix) hours after openssh-3.7.1p1 was released. Yes, I know a lot of people think it sucks, but many people use it (including me).

update: I see Munky beat me to that one :D
Klimpong
Posts: 28
Joined: Fri Jul 18, 2003 6:21 pm

Old news for many, but maybe not for everyone.

Postby Klimpong » Thu Sep 25, 2003 10:39 pm

If you compiled with --with-pam, you should update once more.

Who is online

Users browsing this forum: Google [Bot] and 4 guests