Topic: ssh fix update 5 THANK YOU

[Ray Mitchell]

Just want to say THANK YOU to the Mitel people for promptly giving us the latest Update 5 ssh fixes

Thanks
Ray Mitchell

[guestHH]

Me too

Mitel was even faster with the LATEST updates then other major distro's

[Jens Kruuse]

Yup, good work.

[Warren Blackbeard]

I concur.

Also big shout out to those on these forums that that provide guidance , experience and assistance ;
Much appreciated and invaluable.

Warren

[Jáder Marasca]

I´m glad to have SSH fix so quickly but...

1) I´d like to see the a fix for SME 5.5 too.
I have several SME 5.5 with ssh enabled... and would like to upgrade them as time goes and not in a rush because of this security flaw!

It´s just one file (if I can remember I saw in one site that I cannot remember what!): e-smith-openSSH-1.10.1-01.noarch.rpm ... that is different from SME 5.6 ... but I´m unable to find it.

Anyone know where to find this file?
And why isn´t ftp.e-smith.org working any more?

2) And why I can see a SME56_server_update4.noarch and a SME56_server_update5.noarch rpms on Update5 dir ? Isn´t that strange?

Thanks anyone by help and Mitel by this great product!

[Ray Mitchell]

Jader

> And why isn´t ftp.e-smith.org working any more?

the ftp site has been taken off line, (about a month or two ago). there was some discussion on the dev-info site, I gather there were some very big monthly download traffic occuring which Mitel did not want to carry any more.

all files are now available on mirror sites, see the e-smiith.org download page for details of mirrors.


> And why I can see a SME56_server_update4.noarch and a
> SME56_server_update5.noarch rpms on Update5 dir ?

I noticed that also, but the upgrade still seemed to work OK, not sure whether update4 is there by accident or design.


> I´d like to see the a fix for SME 5.5 too.
> I have several SME 5.5 with ssh enabled... and would like to upgrade them as
> time goes and not in a rush because of this security flaw!

As far as upgrades of 5.5 servers are concerned, it would now appear that Mitel are no longer supplying those, that's their commercial decision.
My opinin is if you choose to use the unsupported developer release and you wish to avail of "free support" then you need to upgrade your servers in line with Mitel policy.
Otherwise you work out what is needed and fix it yourself, if you have the skill, knowledge and time then that should not be so difficult.

The workaround is to temporarily turn off ssh access on the v5.5 servers.
The alternatives are the webconsole command line interface which seems to work quite nicely (which I assume is still OK to use), or to establish a VPN connection, open server manager and turn on ssh for that (putty) session and then turn ssh off when finished.
Yes I know it takes extra time (about 1 minute), but you are asking for security, so that's the answer.

Regards
Ray Mitchell

[Jáder Marasca]

Ray Mitchell wrote:
>
> Jader
>
> > And why isn´t ftp.e-smith.org working any more?
>
> the ftp site has been taken off line, (about a month or two
> ago). there was some discussion on the dev-info site, I
> gather there were some very big monthly download traffic
> occuring which Mitel did not want to carry any more.
>
> all files are now available on mirror sites, see the
> e-smiith.org download page for details of mirrors.

OK! Thanks. I just remember about this discussion... but I don´t remember about never be online again... I thought that was some problem... anyway... I´ll use mirrors.


>
> > And why I can see a SME56_server_update4.noarch and a
> > SME56_server_update5.noarch rpms on Update5 dir ?
>
> I noticed that also, but the upgrade still seemed to work OK,
> not sure whether update4 is there by accident or design.
>
OK! No problems ... just curious (I´m VERY curious)

>
> > I´d like to see the a fix for SME 5.5 too.
> > I have several SME 5.5 with ssh enabled... and would like
> to upgrade them as
> > time goes and not in a rush because of this security flaw!
>
> As far as upgrades of 5.5 servers are concerned, it would now
> appear that Mitel are no longer supplying those, that's their
> commercial decision.
> My opinin is if you choose to use the unsupported developer
> release and you wish to avail of "free support" then you need
> to upgrade your servers in line with Mitel policy.
> Otherwise you work out what is needed and fix it yourself, if
> you have the skill, knowledge and time then that should not
> be so difficult.

OK! I understand you. FREE is great but have limitations. No problem at all!
BUT  I saw in some place mention to a e-smith-openSSH-1.10.1-01.noarch.rpm file used to upgrade SME 5.5!  In fact was a table showing the files to fix openSSH buf in both of them 5.6 and 5.5!
AND can´t find the file! I´m getting crazy!

And why the Update5 fix to SME56 has so many files?
So far I can see all but those for openSSH fix are the same as Update4! Maybe those for PPTP are different... I don´t check them because I have no problems with VPN on my SME 5.6!

> The workaround is to temporarily turn off ssh access on the
> v5.5 servers.
> The alternatives are the webconsole command line interface
> which seems to work quite nicely (which I assume is still OK
> to use), or to establish a VPN connection, open server
> manager and turn on ssh for that (putty) session and then
> turn ssh off when finished.
> Yes I know it takes extra time (about 1 minute), but you are
> asking for security, so that's the answer.

OK! Thanks by this workaround. I´ll use them in a couple of days if I´m unable to find the e-smith-openSSH-1.10.1-01.noarch.rpm file!

THANKS BY YOUR PATIENCE!

Jáder

[Jáder Marasca]

>
> OK! I understand you. FREE is great but have limitations. No
> problem at all!
> BUT  I saw in some place mention to a
> e-smith-openSSH-1.10.1-01.noarch.rpm file used to upgrade SME
> 5.5!  In fact was a table showing the files to fix openSSH
> buf in both of them 5.6 and 5.5!
> AND can´t find the file! I´m getting crazy!

OK! My FAULT... I´m really getting crazy! I do a search on my temp internet files (by content!) to discover where I had seen that file: It´s on announce of bug fix and version 1.10.1-01 is for 6B3 !

Sorry by that! I´ll start to disable SSH on my servers!

Thanks to everyone!

[George]

Jáder Marasca wrote:

> And why the Update5 fix to SME56 has so many files?
> So far I can see all but those for openSSH fix are the same
> as Update4! Maybe those for PPTP are different... I don´t
> check them because I have no problems with VPN on my SME 5.6!

So that update 5 has all of the updates. This way someone doesn't have to install, add update 1, then update 2 etc. Just install and add update 5 and you're up to date.

[Jáder Marasca]

George wrote:

> So that update 5 has all of the updates. This way someone
> doesn't have to install, add update 1, then update 2 etc.
> Just install and add update 5 and you're up to date.

Of course... I think I should had return to bed... to many dumb questions today!
It´s a sunday (a gray sunday here in Porto Alegre RS Brasil!)

Thank you by this enlightment!

Jáder

[Ray Mitchell]

Jader
I did not download all the packages in Update 5, only those that were different to Update 4. (only 4 rpms)
I copied my Update 4 folder and then added the new packages and then did the update. I even replaced the samba rpms with newer ones
There is a post here that suggests you can only do a " freshen"  to achieve the same thing if you are updating an existing Update 4 version.

See this post
http://www.e-smith.org/bboard//read.php?v=t&f=3&i=36579&t=36576
Also, you don't need to reinstall all those packages.
A simple "freshen" should work fine (granted, our README says to do it).
rpm -Fvh *.rpm

Regards
Ray Mitchell

[Jáder Marasca]

> I did not download all the packages in Update 5, only those
> that were different to Update 4. (only 4 rpms)

I don´t care about to use bandwith... just wrote faster than thinked!
It´s usual and Update have everything to update SME server.
I do a full download to a new SME56Update5 dir! And run it without problems

Thanks!

Jáder

[guestHH]

It seems there was a rpm in the latest 5.6 update that should not have been there. Let's callit a rsync 'hickup'...

The update4 file should not be in update5, if you have that one downloaded and is in your update5 dir, just remove it.

Then perform the update as described.

Even with the error, the rpm install appears to work fine. If you're
worried, reinstall update 5. This may be simply exposing an obscure rpm
bug, and an apparently harmless one at that.

Let us know if anything is actually broken. I see nothing wrong with my
test server here.

Regards,
RequestedDeletion & Mike