how to update OpenSSH and Apache version

[dudu2030]

Hello everyone,

i recently moved to version 12.0 U2.1 ,

strangely when i go to shell and do ssh -v local host
i still see OpenSSH_7.9p1, OpenSSL 1.1.1h-freebsd

also apache version is still 2.4.46

please how can i upgrade both ssh and apache ?

thanks

 

[c77dk]

Upgrading things in base isn't recommended - and the services shouldn't be exposed to the wild. All non base should be in jails, where you can use ports/packages.

 

[Patrick M. Hausen]

also apache version is still 2.4.46

That is the current version. What precisely is the problem you have?

 

[dudu2030]

That is the current version. What precisely is the problem you have?

security team said the system is vulnerable after performing a scan. Problems found 1. TCP/22 - OpenSSH Server - 7.9-hpn14v15 (Multiple vulnerabilities on OpenSSH Server - 7.9) Multiple vulnerabilities are present on the installed version of OpenSSH Server. proposed remediation Install the latest version (http://www.openssh.com/ or specific distribution repository). For some distributions the update may not be available for deliberate decision of the vendor that manages the distribution. In this case verify within the vendors' security bulletins:\n- vulnerabilities fixed by backporting of patches made by the vendor\n- vulnerabilities not affecting the system for standard or specific configuration or missing components needed for exploitation\n- availability of compensating measures indicated by the vendor\n- vulnerabilities considered acceptable by the vendor with motivated low impact or difficult exploitation 2. TCP/6000 - HTTP" (Cross-Site Scripting) A vulnerability has been identified in Apache HTTP Server and IBM HTTP Server, which could be exploited by attackers to execute arbitrary scripting code. This flaw in Apache is due to an input validation error in the "modules/http/http_protocol.c" script when processing malformed "Expect:" headers, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site via a specially crafted Flash file. Vulnerable products are: Apache before 1.3.35 Apache before 2.0.58 Apache before 2.2.2 IBM HTTP before Server 2.0 + APAR PK25355 IBM HTTP before Server 6.0.2.13 IBM HTTP before Server 6.1.0.1 Proposed remediation Install update: http://httpd.apache.org/download.cgi http://www.ibm.com

 

[ciscoguy]

you are right. i performed a scan using nmap. OpenSSH 7.9 is vulnerable
see result of my scan below. Openssh 8.4 exists but i am not sure how to install in Freenas





| vulners:

| cpe:/a:openbsd:openssh:7.9:

| EXPLOITPACK:98FE96309F9524B8C84C508837551A19 5.8 https://vulners.com/exploitpack/EXPLOITPACK:98FE96309F9524B8C84C508837551A19 *EXPLOIT*

| EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97 5.8 https://vulners.com/exploitpack/EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97 *EXPLOIT*

| EDB-ID:46516 5.8 https://vulners.com/exploitdb/EDB-ID:46516 *EXPLOIT*

| CVE-2019-6111 5.8 https://vulners.com/cve/CVE-2019-6111

| CVE-2019-16905 4.4 https://vulners.com/cve/CVE-2019-16905

| CVE-2019-6110 4.0 https://vulners.com/cve/CVE-2019-6110

| CVE-2019-6109 4.0 https://vulners.com/cve/CVE-2019-6109

| CVE-2018-20685 2.6 https://vulners.com/cve/CVE-2018-20685

| PACKETSTORM:151227 0.0 https://vulners.com/packetstorm/PACKETSTORM:151227 *EXPLOIT*

| EDB-ID:46193 0.0 https://vulners.com/exploitdb/EDB-ID:46193 *EXPLOIT*

|_ 1337DAY-ID-32009 0.0 https://vulners.com/zdt/1337DAY-ID-32009 *EXPLOIT*

Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

 

[ciscoguy]

thanks for the feedback ..
i see on openssh site https://www.openssh.com/ that ver 8.6 is the latest version, released April 2021.
thread carefully though. i'm not sure how to install it. this is just FYI

 

[anodos]

Proper procedure to get newer packages on TrueNAS is to update to latest stable version. In this case 12.0-U4.

 

[dudu2030]

Proper procedure to get newer packages on TrueNAS is to update to latest stable version. In this case 12.0-U4.

i just updated to 12.0-U4 .. SSH version is still not updated.

is there something else i have to do ?

thanks

 

[anodos]

Code:

root@homenas[~]# cat /etc/version 
TrueNAS-12.0-U4 (8e83079305)
root@homenas[~]# pkg info openssh-portable
openssh-portable-8.4.p1_4,1
Name           : openssh-portable
Version        : 8.4.p1_4,1

git log for openssh-portable

Code:

$ git checkout TN-12.0-U4
HEAD is now at 94e0b32c0289 Merge pull request #1041 from truenas/openzfs/12.0-stable
$ git log security/openssh-portable/
commit 3c654e6aca0e826ca94e09fbbfc9416487c13f2e
Author: themylogin <themylogin@gmail.com>
Date:   Thu May 13 22:35:23 2021 +0200

    Fix security/openssh-portable

commit 7bbad66d3744bb51479aa2a41b531e1c0a34b9d9
Author: Bryan Drewery <bdrewery@FreeBSD.org>
Date:   Thu Mar 18 20:49:44 2021 +0000

    Add limited patch for CVE-2021-28041 from upstream.

 

[danb35]

also apache version is still 2.4.46

Where? I don't see that Apache is part of FreeNAS in any way; it uses Nginx for its web server. And even if it were part of FreeNAS, the version that you say is there is well later than the identified vulnerable versions.

 

[dudu2030]

Code:

root@homenas[~]# cat /etc/version
TrueNAS-12.0-U4 (8e83079305)
root@homenas[~]# pkg info openssh-portable
openssh-portable-8.4.p1_4,1
Name           : openssh-portable
Version        : 8.4.p1_4,1

git log for openssh-portable

Code:

$ git checkout TN-12.0-U4
HEAD is now at 94e0b32c0289 Merge pull request #1041 from truenas/openzfs/12.0-stable
$ git log security/openssh-portable/
commit 3c654e6aca0e826ca94e09fbbfc9416487c13f2e
Author: themylogin <themylogin@gmail.com>
Date:   Thu May 13 22:35:23 2021 +0200

    Fix security/openssh-portable

commit 7bbad66d3744bb51479aa2a41b531e1c0a34b9d9
Author: Bryan Drewery <bdrewery@FreeBSD.org>
Date:   Thu Mar 18 20:49:44 2021 +0000

    Add limited patch for CVE-2021-28041 from upstream.

thanks anodos, i also got the same result.

However, when i do ssh -V i still see the old version, is there a way to remove it ?

 

[dudu2030]

Where? I don't see that Apache is part of FreeNAS in any way; it uses Nginx for its web server. And even if it were part of FreeNAS, the version that you say is there is well later than the identified vulnerable versions.

from shell, i did httpd -v and got the output below. i guess that's why it was flagged by the vulnerabilty scan

 

[danb35]

Ah, that's why--it's in /usr/local/sbin, not /usr/local/bin where I was looking for it. Though I still wonder why it's there at all--it isn't running, there isn't even an rc script for it.

i guess that's why it was flagged by the vulnerabilty scan

...but again, that vulnerability scan says that versions before 2.2.2 are affected--I don't think I need to elaborate that 2.4.46 is not an earlier version than 2.2.2. In fact, no release in the 2.4.x branch is identified as vulnerable in that notice.

 

[anodos]

thanks anodos, i also got the same result.
View attachment 47537

However, when i do ssh -V i still see the old version, is there a way to remove it ?
View attachment 47538

No. And there's not a reason to be concerned about it since it's not used. Automated scans are at best a starting point for understanding what's in an environment. They aren't really meant for a compliance checklist. Often patches are backported or software is not compiled with vulnerable options. It's the responsibility of the security team / server admin to understand the results and come up with sensible mitigations _if_ necessary.