bug found in openssh, upgrade today!

[seiki]

Here's a little script to easily upgrade a sshd server on freebsd..
paste it all into a root shell.

enjoy,
-seiki


ps, first ensure that the user 'sshd' exists with no shell, as older versions of freebsd don't have priviledge seperation. If user sshd doesn't exist, add it.

Also, make sure that CheckMail is commented out in /etc/ssh/sshd_config, as it's no longer supported either and will cause your sshd to error if left enabled.

pss, be sure to remove the trailing whitespace this forum seemed to put on each line before pasting into a shell.

<!- script stars here

cat >/tmp/sshsupfile <<EOF
*default host=cvsup11.FreeBSD.org
*default base=/usr
*default prefix=/usr
*default release=cvs
*default tag=RELENG_4
*default delete use-rel-suffix

src-crypto
src-secure
EOF

cvsup /tmp/sshsupfile
cd /usr/src/secure && make clean
cd /usr/src/secure/lib/libssh && make && make install
cd /usr/src/secure/usr.sbin/sshd && make && make install
kill `cat /var/run/sshd.pid`
/usr/sbin/ssh

[munky]

from the freebsd SA

[FreeBSD 4.3 through 4.5]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ ... er45.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ ... .patch.asc

[FreeBSD 4.6 and later, FreeBSD 5.0 and later]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ ... er46.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ ... .patch.asc

Execute the following commands as root:

# cd /usr/src
# patch < /path/to/sshd.patch
# cd /usr/src/secure/lib/libssh
# make depend && make all install
# cd /usr/src/secure/usr.sbin/sshd
# make depend && make all install
# cd /usr/src/secure/usr.bin/ssh
# make depend && make all install

Be sure to restart `sshd' after updating.

# kill `cat /var/run/sshd.pid`
# (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags})

but since there was a second patched (3.7.1p1) for openssh released same day, that SA may be outdated already

redhat rpm updates are available

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPM ... -9.src.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386 ... 9.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386 ... 9.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386 ... 9.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386 ... 9.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386 ... 9.i386.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPM ... 10.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386 ... 0.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386 ... 0.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386 ... 0.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386 ... 0.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386 ... 0.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64 ... 0.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64 ... 0.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64 ... 0.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64 ... 0.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64 ... 0.ia64.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPM ... 10.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386 ... 0.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386 ... 0.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386 ... 0.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386 ... 0.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386 ... 0.i386.rpm

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPM ... -5.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386 ... 5.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386 ... 5.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386 ... 5.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386 ... 5.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386 ... 5.i386.rpm

Red Hat Linux 9:

SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/ ... -9.src.rpm

i386:
ftp://updates.redhat.com/9/en/os/i386/o ... 9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/o ... 9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/o ... 9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/o ... 9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/o ... 9.i386.rpm

(same possible outdated applies)

current openbsd patches are available on http://www.openbsd.org/errata.html or http://www.openssh.org/openbsd.html

those are the only distro's i currently follow, any other directions are up to you to find

[deww]

Nice helpful tips. I had no idea previously how to do the FBSD one properly.
Gentoo users are quite easy:
emerge sync
emerge openssh

Slackware:
These are unofficial packages but they work just as well -
Slackware 9.0 http://www.linuxpackages.net/redirectht ... h-3.7.1p1/
Slackware 8.1
http://www.linuxpackages.net/redirectht ... h-3.7.1p1/
Official packages should be available under the patches directory of the release version.
Use "installpkg openssh-3.7.1p1-i386-1.tgz" to install.

[munky]

and to fix the second bug:

freebsd:

[FreeBSD 4.3 and 4.4]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ ... er44.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ ... .patch.asc

[FreeBSD 4.5]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ ... er45.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ ... .patch.asc

[FreeBSD 4.6 and later, FreeBSD 5.0 and later]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ ... er46.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ ... .patch.asc

Execute the following commands as root:

# cd /usr/src
# patch < /path/to/sshd.patch
# cd /usr/src/secure/lib/libssh
# make depend && make all install
# cd /usr/src/secure/usr.sbin/sshd
# make depend && make all install
# cd /usr/src/secure/usr.bin/ssh
# make depend && make all install

Be sure to restart `sshd' after updating.

# kill `cat /var/run/sshd.pid`
# /usr/sbin/sshd

redhat

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPM ... 13.src.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386 ... 3.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386 ... 3.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386 ... 3.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386 ... 3.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386 ... 3.i386.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPM ... 14.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386 ... 4.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386 ... 4.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386 ... 4.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386 ... 4.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386 ... 4.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64 ... 4.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64 ... 4.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64 ... 4.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64 ... 4.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64 ... 4.ia64.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPM ... 14.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386 ... 4.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386 ... 4.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386 ... 4.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386 ... 4.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386 ... 4.i386.rpm

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPM ... -7.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386 ... 7.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386 ... 7.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386 ... 7.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386 ... 7.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386 ... 7.i386.rpm

Red Hat Linux 9:

SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/ ... 11.src.rpm

i386:
ftp://updates.redhat.com/9/en/os/i386/o ... 1.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/o ... 1.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/o ... 1.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/o ... 1.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/o ... 1.i386.rpm

openbsd:
http://www.openssh.org/openbsd.html or http://www.openbsd.org/errata.html


and while you're at it, make sure you check to be sure your sendmail is fully patched for http://www.securityfocus.com/archive/1/ ... 03-09-21/0

[clunked]

There are official Slackware packages now. Before it was available, it was simple enough to grab the openssh-3.6.1p2 built script, substitute the source tarball and $VERSION variable inside the script. When this was run it would pop out a working package.

Also, Sendmail was updated to 8.12.10 (security fix) hours after openssh-3.7.1p1 was released. Yes, I know a lot of people think it sucks, but many people use it (including me).

update: I see Munky beat me to that one

[Klimpong]

If you compiled with --with-pam, you should update once more.