Openssh versions



  • Hello,

    We are currently running 2.2.6 on FreeBSD 10.1-RELEASE-p25 and openssh is showing as 6.6.1_hpn13v11.

    If we upgrade to the latest version 2.3.4-p1 is openssh going to follow suit and upgrade to the latest version available for 10.3-RELEASE-p19?

    Which version would it be and how can I reliably check it online (for any pfSense / FreeBSD version)?

    My question is related to PCI compliance scans which are (sadly) mainly interested in main upstream numbers.

    Regards
    Adam



  • PfSense has chosen to use the base system OpenSSH from FreeBSD and that means that even though the security fixes are backported when they are needed the version numbers are kept at what they were at the time of the release. This is something that trips the simple minded scans that only look at the versions numbers and are not aware of the proper revision history of the installed software.

    https://www.freebsd.org/security/advisories.html

    https://svnweb.freebsd.org/base/releng/10.3/crypto/openssh/

    
    [2.3.4-RELEASE][admin@firewall.rdnzl.fi]/root: ssh -V
    OpenSSH_7.2p2, OpenSSL 1.0.1s-freebsd  1 Mar 2016
    
    


  • Thank you for the links and info.

    From my experience it's almost impossible to satisfy these scanners with out of the box deployments / versions.

    You can "self certify" yourself by either proving security fixes have been backported or remedies have been manually applied.

    PCI compliance needs to be renewed every 90 days and we try to make the process as quick and painless as possible.

    I was wondering if there is an easy way of quickly telling what's in a particular openssh version and what's not

    Something like this for Debian:

    https://security-tracker.debian.org/tracker/source-package/openssh

    ?