netbsd-help: SSH Fix On Box Behind Proxy Firewall

Subject: SSH Fix On Box Behind Proxy Firewall - How ??
To: None <netbsd-help@NetBSD.org>
From: Nick Boyce <nick@glimmer.demon.co.uk>
List: netbsd-help
Date: 09/30/2003 03:27:31
I'm unable to apply the SSH buffer management fix using the method
advised in NetBSD Security Advisory 2003-012 on a 1.6.1-Stable box,
because :
1) the box is on our company network, behind a proxy firewall
2) the method advised involves using CVS to grab updated source
3) it appears that CVS won't work across a proxy firewall

This is what happens when I try :

 /usr/src# cvs update -d -P -r netbsd-1-6 crypto/dist/ssh
 rsh: anoncvs.netbsd.org: No address associated with hostname
 cvs [update aborted]: end of file from server (consult above=20
 messages if any)

I looked for a way to specify the relevant proxy details to cvs, but
the following has no effect :

 /usr/src# export http_proxy=3Dhttp://AAAA:PPPP@our.proxy.host:80/
 /usr/src# export ftp_proxy=3Dhttp://AAAA:PPPP@our.proxy.host:81/

 (this is what I use for normal pkgsrc updates via wget)

And when I Googled for help, all I found were postings which seem to
imply that cvs *cannot* be used across such a firewall.

I know next to nothing about cvs (never used it), so maybe I'm
misunderstanding it - clues gratefully received.

Quite apart from the above, I'm also confused about whether the
*recommendation* (for a production box) is to get an updated SSH by
(a) updating the base system as above, or (b) using pkgsrc to acquire
the apparently equivalent updated openssh package.

The following statement is from
http://www.netbsd.org/Changes/#sa2003-030917 :

 Fixes for the latest OpenSSH security vulnerabilities
 <http://archives.neohapsis.com/archives/openbsd/2003-09/1193.html>=20
 have been applied to NetBSD-current, and the netbsd-1-5 and =20
 netbsd-1-6 branches. Pkgsrc/security/openssh has also been=20
 updated to OpenSSH 3.7.1, which includes these fixes.=20

So which fix source is appropriate for a production box - CVS or
pkgsrc ?
Are there any pros & cons ?
What should I do here please ?

(The Advisory also says "The NetBSD Project will make binary patchsets
available when builds have completed", but that was nearly 2 weeks
ago, and no pkgsrc binaries are listed yet at
ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/security/openssh/README.h=
tml)

Thanks for any advice.
Nick Boyce
Bristol, UK
--
Dinner is ready when the smoke alarm goes off.