Subject: Re: software versions/1.6.2
To: None <lists@sancho2k.net>
From: Havard Eidnes <he@netbsd.org>
List: netbsd-users
Date: 03/08/2004 09:23:22
> I installed from the 1.6.2-bin ISO.  The builtin sshd shows as follow=
s:
>
>   $ scanssh 127.0.0.1
>   127.0.0.1 SSH-1.99-OpenSSH_3.4 NetBSD_Secure_Shell-20030917
>
> Is it true that the version that comes with 1.6.2 is 3.4?

Well, yes and no.  It is based on 3.4.  If you go read the
CHANGES-1.6.* files, you'll see what local changes have been made
to this particular version.  As far as I can see these are:

crypto/dist/ssh/auth.c                          1.18

        Add missing
                hp =3D strtok(NULL, ",");
        to end of while loop which parses "host.allow" from login.conf(=
5).
        Otherwise, sshd(8) would just infinite loop unless there was a
        (positive or negative) match in the first word of the "host.all=
ow"
        list...
        [lukem, ticket #1231]

crypto/dist/ssh/buffer.c                        1.3
crypto/dist/ssh/version.h                       1.29 (via patch)

        Do not record expanded size before attempting to reallocate the=

        associated memory. From OpenBSD, via FreeBSD.

        Crank __NETBSDSSH_VERSION for buffer.c fix.
        Fixes SA#SA2003-012.
        [elric/tron, ticket #1471]

crypto/dist/ssh/buffer.c                        1.3-1.4
crypto/dist/ssh/channels.c                      1.30
crypto/dist/ssh/deattack.c                      1.13
crypto/dist/ssh/misc.c                          1.12-1.14
crypto/dist/ssh/session.c                       1.35
crypto/dist/ssh/version.h                       1.31-1.32 (via patch)

        Apply more malloc fixes from OpenSSH 3.7 -> 3.7.1.
        Fixes SA#SA2003-012.
        [christos, no ticket]

crypto/dist/ssh/ssh-agent.c                     1.23

        Fix typo.  markus@openbsd
        [itojun, ticket #1476]

crypto/dist/ssh/buffer.c                        1.5

        Protect against double free; #660;  zardoz at users.sf.net
        from openbsd
        [christos, ticket #1477]

> If so, what is the recommended update path to get to the current
> openssh release?

Do you know of something which may cause you to need the upgrade?

> Is one required, or is the version listed simply 3.4p with needed
> patches applied?

The version is 3.4 (not "p") with the above patches applied.

> Am I wrong to expect a current version number to reflect a current
> patch application?

I'm not sure what you mean here, but the NetBSD date should indicate
when the sources was last touched in a significant way.  And, yes, we
do apply security patches to the software we maintain, and the
netbsd-1-6 branch is still being maintained.

> Another one is openssl:
>
>   $ openssl version
>   OpenSSL 0.9.6g 9 Aug 2002
>
> I installed the binary package "openssl-0.9.6l" to add openssl to my =

> system. I see that NetBSD-SA2004-003 describes the ASN.1 issue and =

> mentions that 0.9.6l package resolves the vulnerability.

Yes, but the fix for each of the branches is different, and this
problem is solved by "minimal touch fix" of the sources.  The quoted
SA also clearly states that 1.6.2 is not vulnerable to this weakness,
and you'll again find the fixes in the doc/CHANGES-1.6.2 file:

crypto/dist/openssl/crypto/asn1/asn1_lib.c      patch
crypto/dist/openssl/crypto/x509/x509_vfy.c      patch

        Fix various bugs revealed by running the NISCC test suite:
        Stop out of bounds reads in the ASN1 code when presented with
        invalid tags (CAN-2003-0543 and CAN-2003-0544).
        If verify callback ignores invalid public key errors don't try =
to check
        certificate signature with the NULL public key.
        SA#2003-017
        [christos, ticket #1492]

crypto/dist/openssl/ssl/ssl_ciph.c              1.6 (via patch)

        From OpenBSD:
        Correct some off-by-ones.  They currently don't matter, but thi=
s
        is for future safety and consistency.
        OK krw@, markus@
        [itojun, ticket #1495]

crypto/dist/openssl/ssl/s3_clnt.c               1.5
crypto/dist/openssl/ssl/s3_srvr.c               1.6

        More fixes from 0.9.7c, from openbsd.
        [itojun, ticket #1496]

crypto/dist/openssl/crypto/asn1/a_bytes.c       patched by hand
crypto/dist/openssl/ssl/ssl_ciph.c              patched by hand

        Changes between 0.9.6k and 0.9.6l  [04 Nov 2003]
        *) Fix additional bug revealed by the NISCC test suite:
            Stop bug triggering large recursion when presented with
            certain ASN.1 tags (CAN-2003-0851). from Steve Henson
        [itojun, ticket #1557]

crypto/dist/openssl/crypto/opensslv.h           apply patch

        Define OPENSSL_HAS_20031107_FIX which reflects the date that th=
e
        OpenSSL 0.6.9g -> 0.9.6l fixes were pulled up to the branch.
        [jlam, ticket #1566]

> How does that tie in with the displayed release date of 9 Aug 2002?
> Simply patched source..?

Well, we can't/shouldn't touch that date.  Local software which needs
to check that the mentioned vulnerability is fixed could do as pkgsrc
does and check the symbol mentioned the last above.

So... yes, this source is already patched.

Regards,

- H=E5vard