On 10/16/16 09:26, David Wolfskill wrote:> And over the last year or so, it's worked pretty well: I have the > machine set up (as is usually my approach) to be able to boot from > either of a couple of slices. I use a "dump | restore" pipeline > to copy the / and /usr file systems from the "active" slice to the > "inactive" slice, adjust /etc/fstab on the inactive slice to reflect > reality for when it's the boot slice, then (while the file systemms > from the other slice are still mounted -- e.g., on /S2) run > "freebsd-update -b /S2 fetch install", then reboot from the > newly-updated slice. > > In the past, that's Just Worked.Your usage probably worked because you were lucky for a few times in the past. (details below)> This weekend, though, I was planning to update my other systems tfrom > stable/10 to stable/11, so I figured I'd try freebsd-update on this > machine first. >[...]> root at sisboombah:/tmp # `which sshd` -d > Undefined symbol "ssh_compat13" referenced from COPY relocation in /usr/sbin/sshd > > Any clues?I think this is not going to work (stable/10 -> releng/10.3) due to ABI incompatibility in a downgrade. Basically, freebsd-update is treating your stable/10 as a 10.3-RELEASE installation and will fetch only changes from 10.3-RELEASE to the latest patchlevel. Because of a SSH vulnerability that affects 10.3, freebsd-update would patch libssh (shared library used by sshd and friends), however the change does not affect the main binary. This worked by replacing your existing libssh with the one shipped by freebsd-update (effectively downgraded the library) and that would break sshd. I think upgrade -r 10.2-RELEASE (ideally, 11.0-RELEASE though as it would eliminate the possibility of any potential incompatibility) would work because that would result in a full rewrite of all files. Cheers, -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20161016/b7c2d46b/attachment.sig>
David Wolfskill
2016-Oct-16 17:45 UTC
sshd whines & dies after releng/10 "freebsd-update" run
On Sun, Oct 16, 2016 at 10:29:00AM -0700, Xin Li wrote:> ... > On 10/16/16 09:26, David Wolfskill wrote: > > And over the last year or so, it's worked pretty well: I have the > > machine set up (as is usually my approach) to be able to boot from > > either of a couple of slices. I use a "dump | restore" pipeline > > to copy the / and /usr file systems from the "active" slice to the > > "inactive" slice, adjust /etc/fstab on the inactive slice to reflect > > reality for when it's the boot slice, then (while the file systemms > > from the other slice are still mounted -- e.g., on /S2) run > > "freebsd-update -b /S2 fetch install", then reboot from the > > newly-updated slice. > > > > In the past, that's Just Worked. > > Your usage probably worked because you were lucky for a few times in the > past. (details below) > > > This weekend, though, I was planning to update my other systems tfrom > > stable/10 to stable/11, so I figured I'd try freebsd-update on this > > machine first. > > > [...] > > root at sisboombah:/tmp # `which sshd` -d > > Undefined symbol "ssh_compat13" referenced from COPY relocation in /usr/sbin/sshd > > > > Any clues? > > I think this is not going to work (stable/10 -> releng/10.3) due to ABI > incompatibility in a downgrade.I seem to have failed to commnunicate clearly: The machine in question does not, and has not, run "stable". It runs releng. At the moment (on the "old" slice), it reports: sisboombah(10.3-RELEASE-p7)[1] uname -a FreeBSD sisboombah.catwhisker.org 10.3-RELEASE-p7 FreeBSD 10.3-RELEASE-p7 #0: Thu Aug 11 18:38:15 UTC 2016 root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 sisboombah(10.3-RELEASE-p7)[2]> Basically, freebsd-update is treating your stable/10 as a 10.3-RELEASE > installation and will fetch only changes from 10.3-RELEASE to the latest > patchlevel.I can see that... if the machine were running stable.> Because of a SSH vulnerability that affects 10.3, freebsd-update would > patch libssh (shared library used by sshd and friends), however the > change does not affect the main binary. This worked by replacing your > existing libssh with the one shipped by freebsd-update (effectively > downgraded the library) and that would break sshd.As a reality check: sisboombah(10.3-RELEASE-p7)[4] sudo mount /S2 Password: sisboombah(10.3-RELEASE-p7)[5] sudo mount /S2/usr sisboombah(10.3-RELEASE-p7)[6] ls -lT {,/S2}/usr/lib/private/libssh.so.* -r--r--r-- 1 root wheel 634232 Oct 16 11:57:32 2016 /S2/usr/lib/private/libssh.so.5 -r--r--r-- 1 root wheel 569864 Jun 5 13:37:52 2016 /usr/lib/private/libssh.so.5 sisboombah(10.3-RELEASE-p7)[7] ls -lT {,/S2}/usr/sbin/ssh* -r-xr-xr-x 1 root wheel 297736 Jun 5 13:38:35 2016 /S2/usr/sbin/sshd -r-xr-xr-x 1 root wheel 297736 Jun 5 13:38:35 2016 /usr/sbin/sshd sisboombah(10.3-RELEASE-p7)[8]> I think upgrade -r 10.2-RELEASE (ideally, 11.0-RELEASE though as it > would eliminate the possibility of any potential incompatibility) would > work because that would result in a full rewrite of all files.Well, I had seen reports of folks having "issues" with attempts to use freebsd-update to get to releng/11 from systems that weren't as up-to-date as they might be; I was actually trying to avoid a problem.... :-} Peace, david -- David H. Wolfskill david at catwhisker.org Those who would murder in the name of God or prophet are blasphemous cowards. See http://www.catwhisker.org/~david/publickey.gpg for my public key. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 603 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20161016/a382f0d2/attachment.sig>