Re: Upcoming OpenSSH vulnerability

[Scott Francis <darkuncle@darkuncle.net>]

On Tue, Jun 25, 2002 at 01:32:40PM +1000, adrian@close.wattle.id.au said:
> On Mon, 24 Jun 2002, Theo de Raadt wrote:
>
> > However, everyone should update to OpenSSH 3.3 immediately, and enable
>
> OK.  Can someone in the know please post some instructions on the approved
> patching method?
>
> I see nothing in http://www.openbsd.org/errata.html about this, nor can I
> find any useful CVS tags in src/usr.bin/ssh...  The FAQ at OpenSSH.com is
> also strangely quiet on the issue of upgrading.

I've upgraded 3 machines so far today. One of them had been 3.0 and went to
3.1 prior to the OpenSSH upgrade; the other two were running 3.1. I first did
a 'cd /usr; cvs checkout -P -rOPENBSD_3_1 src' and followed the build
instructions from OpenSSH.org, but 'ssh -V' still returned 3.2.3 after that.
So I went and grabbed openssh-3.3.tgz from the local ftp mirror, exploded it
in /usr/src/usr.bin/ssh and followed the build instructions (again). This
time, it worked (actually worked 3 of 3 times, since I tried from CVS source
all 3 times first).

I probably goofed something up when trying to build from CVS; pulling the
tarball worked best for me. YMMV.

privsep works great now; 3.3 is running perfectly on all 3 boxes.
--
-= Scott Francis || darkuncle (at) darkuncle (dot) net =-
  GPG key CB33CCA7 has been revoked; I am now 5537F527
        illum oportet crescere me autem minui

[demime 0.98d removed an attachment of type application/pgp-signature]