I see that this is a CentOS 7 patch only, at least so far. I also see that the CentOS 6 ssh version is 5.3 > /usr/bin/ssh -V OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 which is supposedly not affected. However, strings indicates that /usr/bin/ssh is also aware for the useroaming configuration option: > strings /usr/bin/ssh | grep -i useroam useroaming Is it actually known that the ssh version shipped with CentOS 6 is not vulnerable, or is it just assumed based on the version number? The announcement implies that the roaming code itself was added in 5.4, not just that a default was changed, but if that?s really true, why is that string in the binary? Noam P.S. I do realize this is a question better directed to RedHat, but I?m hoping someone here might still know.> On Jan 15, 2016, at 9:39 AM, Johnny Hughes <johnny at centos.org> wrote: > > For the record, this update is now released (it was yesterday): > > https://lists.centos.org/pipermail/centos-announce/2016-January/021614.html > > This contains a patch that disables roaming: > https://git.centos.org/commitdiff/rpms!openssh.git/1edce7e6bfedb27a163f35bcacab620a703408ac > > Thanks, > Johnny Hughes > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos
On 01/15/2016 08:55 AM, Noam Bernstein wrote:> I see that this is a CentOS 7 patch only, at least so far. I also see that the CentOS 6 ssh version is 5.3 > > /usr/bin/ssh -V > OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 > which is supposedly not affected. However, strings indicates that /usr/bin/ssh is also aware for the useroaming configuration option: > > strings /usr/bin/ssh | grep -i useroam > useroaming > Is it actually known that the ssh version shipped with CentOS 6 is not vulnerable, or is it just assumed based on the version number? The announcement implies that the roaming code itself was added in 5.4, not just that a default was changed, but if that?s really true, why is that string in the binary?https://bugzilla.redhat.com/show_bug.cgi?id=1298032#c16 (see comment 16) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20160115/06f3867d/attachment.sig>
> On Jan 15, 2016, at 10:31 AM, Johnny Hughes <johnny at centos.org> wrote: > > On 01/15/2016 08:55 AM, Noam Bernstein wrote: >> I see that this is a CentOS 7 patch only, at least so far. I also see that the CentOS 6 ssh version is 5.3 >> > /usr/bin/ssh -V >> OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 >> which is supposedly not affected. However, strings indicates that /usr/bin/ssh is also aware for the useroaming configuration option: >> > strings /usr/bin/ssh | grep -i useroam >> useroaming >> Is it actually known that the ssh version shipped with CentOS 6 is not vulnerable, or is it just assumed based on the version number? The announcement implies that the roaming code itself was added in 5.4, not just that a default was changed, but if that?s really true, why is that string in the binary? > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1298032#c16 > > (see comment 16)Yes, that answers my question. Thanks. Noam