# OpenSSH Upgrades



## gladiola (Apr 9, 2020)

Much of the time, we would recompile from ports or use pkg to upgrade programs.  We use freebsd-update to keep the system patched.  What about major and minor version changes for programs like ssh (OpenSSH) which are central to the performance of FreeBSD?  How are those updated?  When we select a version of FreeBSD to run, are we basically stuck with some programs until we upgrade to a later version?  If so, which kinds of programs might be in that situation?


----------



## getopt (Apr 9, 2020)

OpenSSH comes by default as a 'base'-version in FreeBSD. Therefore it is usable without any other ports installed right after installation. It is located in /usr/bin/. You can also install a ports-version but this usually not necessary unless you have a good reason.
The base-version gets upgraded/updated with the security patches for your FreeBSD version when necessary. If you want to use the ports-version (which would be installed in /usr/local/bin) it would need updates like the other ports.

Also see FreeBSD Handbook:








						Chapter 15. Security
					

Hundreds of standard practices have been authored about how to secure systems and networks, and as a user of FreeBSD, understanding how to protect against attacks and intruders is a must




					www.freebsd.org


----------



## gladiola (Apr 9, 2020)

The version of OpenSSH in my copy of FreeBSD 12.1 is over 18 months old.  I have a host with OpenSSH that shows 7.8 from September 2018.  OpenSSH is on 8.1.  How far behind do we have to get before it gets updated?

There's no ports maintainer, I suppose, because there's no port.  So, who determines this?  Is this the type of thing that's decided as a release is built?  If so, then when would we see 8.1 or better?  In a later release of the OS?


----------



## getopt (Apr 9, 2020)

Yes usually it is upgraded with a new release.

You can find such info in the release notes (Section contributed Software):



			FreeBSD 12.0-RELEASE Release Notes
		

 was when OpenSSH has been updated to version 7.8p1. [r338561]

It is good practise to stay with the base version and follow the FreeBSD Security Advisories. Have a look on it.


----------



## gladiola (Apr 10, 2020)

OK, I was aware of most of this before I started the thread.  I'm just going to install openssh-portable.


----------



## iandstanley (Feb 6, 2022)

gladiola said:


> OK, I was aware of most of this before I started the thread.  I'm just going to install openssh-portable.


Just noticed this 

I've been trying to get my yubico security key working with ssh and despite installing openssh-portable  ssh was missing the -K option 

After a little poking around I noticed that 

$ ssh -V 
OpenSSH_7.9p1, OpenSSL 1.1.1k-freebsd 24 Aug 2021

v7.9 is over three years old and has known vulnerabilities

After installing openssh-portable I have 

$ /usr/local/bin/ssh -V 
OpenSSH_8.8p1, OpenSSL 1.1.1k-freebsd 24 Aug 2021

Now I'm having to use an alias and patch scripts to avoid the old version.

I have raised a bug on base re the 2018 version in /usr/bin/ssh


----------



## VladiBG (Feb 6, 2022)

iandstanley said:


> v7.9 is over three years old and has known vulnerabilities


Can you provide more info?






						Openbsd Openssh version 7.9 : Security vulnerabilities
					

Security vulnerabilities of Openbsd Openssh version 7.9 			List of cve security vulnerabilities related to this exact version. 			You can filter results by cvss scores, years and months. This page provides a sortable list of security vulnerabilities.



					www.cvedetails.com


----------



## ldd (May 17, 2022)

VladiBG said:


> Can you provide more info?
> 
> 
> 
> ...



a vulnerability scan run against a FreeBSD 13.0 machine running ssh 7.9p1using nmap with the vulners script reports the following vulnerabilities (most of which seem to be variations on the same cves):



*display_name**service**os_type**vulner_found**172.30.88.1 [tcp/22]*sshFreeBSD[5.8]: MSF:ILITIES/UBUNTU-CVE-2019-6111/*172.30.88.1 [tcp/22]*sshFreeBSD[5.8]: MSF:ILITIES/SUSE-CVE-2019-6111/*172.30.88.1 [tcp/22]*sshFreeBSD[5.8]: MSF:ILITIES/SUSE-CVE-2019-25017/*172.30.88.1 [tcp/22]*sshFreeBSD[5.8]: MSF:ILITIES/REDHAT_LINUX-CVE-2019-6111/*172.30.88.1 [tcp/22]*sshFreeBSD[5.8]: MSF:ILITIES/REDHAT-OPENSHIFT-CVE-2019-6111/*172.30.88.1 [tcp/22]*sshFreeBSD[5.8]: MSF:ILITIES/ORACLE-SOLARIS-CVE-2019-6111/*172.30.88.1 [tcp/22]*sshFreeBSD[5.8]: MSF:ILITIES/OPENBSD-OPENSSH-CVE-2019-6111/*172.30.88.1 [tcp/22]*sshFreeBSD[5.8]: MSF:ILITIES/IBM-AIX-CVE-2019-6111/*172.30.88.1 [tcp/22]*sshFreeBSD[5.8]: MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2019-6111/*172.30.88.1 [tcp/22]*sshFreeBSD[5.8]: MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2019-6111/*172.30.88.1 [tcp/22]*sshFreeBSD[5.8]: MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2019-6111/*172.30.88.1 [tcp/22]*sshFreeBSD[5.8]: MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2019-6111/*172.30.88.1 [tcp/22]*sshFreeBSD[5.8]: MSF:ILITIES/GENTOO-LINUX-CVE-2019-6111/*172.30.88.1 [tcp/22]*sshFreeBSD[5.8]: MSF:ILITIES/F5-BIG-IP-CVE-2019-6111/*172.30.88.1 [tcp/22]*sshFreeBSD[5.8]: MSF:ILITIES/DEBIAN-CVE-2019-6111/*172.30.88.1 [tcp/22]*sshFreeBSD[5.8]: MSF:ILITIES/CENTOS_LINUX-CVE-2019-6111/*172.30.88.1 [tcp/22]*sshFreeBSD[5.8]: MSF:ILITIES/AMAZON_LINUX-CVE-2019-6111/*172.30.88.1 [tcp/22]*sshFreeBSD[5.8]: MSF:ILITIES/AMAZON-LINUX-AMI-2-CVE-2019-6111/*172.30.88.1 [tcp/22]*sshFreeBSD[5.8]: MSF:ILITIES/ALPINE-LINUX-CVE-2019-6111/*172.30.88.1 [tcp/22]*sshFreeBSD[5.8]: EXPLOITPACK:98FE96309F9524B8C84C508837551A19*172.30.88.1 [tcp/22]*sshFreeBSD[5.8]: EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97*172.30.88.1 [tcp/22]*sshFreeBSD[5.8]: EDB-ID:46516*172.30.88.1 [tcp/22]*sshFreeBSD[5.8]: EDB-ID:46193*172.30.88.1 [tcp/22]*sshFreeBSD[5.8]: CVE-2019-6111*172.30.88.1 [tcp/22]*sshFreeBSD[5.8]: 1337DAY-ID-32328*172.30.88.1 [tcp/22]*sshFreeBSD[5.8]: 1337DAY-ID-32009*172.30.88.1 [tcp/22]*sshFreeBSD[4.4]: CVE-2021-41617*172.30.88.1 [tcp/22]*sshFreeBSD[4.4]: CVE-2019-16905*172.30.88.1 [tcp/22]*sshFreeBSD[4.3]: MSF:ILITIES/OPENBSD-OPENSSH-CVE-2020-14145/*172.30.88.1 [tcp/22]*sshFreeBSD[4.3]: MSF:ILITIES/HUAWEI-EULEROS-2_0_SP9-CVE-2020-14145/*172.30.88.1 [tcp/22]*sshFreeBSD[4.3]: MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2020-14145/*172.30.88.1 [tcp/22]*sshFreeBSD[4.3]: MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2020-14145/*172.30.88.1 [tcp/22]*sshFreeBSD[4.3]: MSF:ILITIES/F5-BIG-IP-CVE-2020-14145/*172.30.88.1 [tcp/22]*sshFreeBSD[4.3]: CVE-2020-14145*172.30.88.1 [tcp/22]*sshFreeBSD[4.0]: CVE-2019-6110*172.30.88.1 [tcp/22]*sshFreeBSD[4.0]: CVE-2019-6109*172.30.88.1 [tcp/22]*sshFreeBSD[2.6]: CVE-2018-20685*172.30.88.1 [tcp/22]*sshFreeBSD[0.0]: PACKETSTORM:151227


----------



## SirDice (May 18, 2022)

https://www.freebsd.org/security/advisories/FreeBSD-EN-19:10.scp.asc fixed before 13.0 was even released.

FreeBSD 13.0 may have an _older_ version of OpenSSH in the base, security issues are backported and fixed. 13.1 should have OpenSSH 8.8p1. You will need to upgrade your 13.0 anyway now that 13.1 has been released. 13.0 will be EoL three months after the release of 13.1.


----------

