<div>Hello Team,</div>
<div> </div>
<div>We ship our own software own top of Centos 5.2 OS and install other applications and rpms on top of rpms available in 5.2 Centos.</div>
<div> </div>
<div>We are in the process of upgrading to a later version of openssh (5.8 version of openssh is already available), however the latest src.rpm version of openssh available on Centos site is still</div>
<div> </div>
<div><a href="http://oss.oracle.com/el5/SRPMS-updates/openssh-4.3p2-72.el5_6.3.src.rpm">openssh-4.3p2-72.el5_6.3.src.rpm</a> </div>
<div> </div>
<div>Which is a 4.3 and not anything in 5.x.</div>
<div> </div>
<div>The reason we want to do it because there are many vulnerabilities in older versions of openssh. Few are listed below.</div><font size="1" face="Arial"><font size="1" face="Arial">
<p align="left">-<strong> A signal handler race condition in OpenSSH before Version 4.4 can be exploited to cause a crash, and possibly execute arbitrary code if GSSAPI </strong><strong>authentication is enabled, via unspecified vectors that lead to a double-free. (CVE-2006-50</strong><strong>- A denial of service vulnerability exists in sshd in OpenSSH before Version 4.4, when using the SSH protocol Version 1, because it does not</strong><strong>properly handle duplicate incoming blocks. This can be exploited by a remote attacker to cause sshd to consume a large quantity of CPU resources. </strong><strong>(CVE-2006-4924)</strong></p>
<p><font size="1" face="Arial"><font size="1" face="Arial"><strong>OpenSSH is prone to a plain text recovery attack. The issue is in the SSH protocol specification itself and exists in Secure Shell (SSH) software</strong><strong>when used with CBC-mode ciphers.</strong></font></font></p>
<font size="1" face="Arial"><font size="1" face="Arial">
<p align="left"><strong>OpenSSH is prone to a vulnerability that allows attackers to hijack forwarded X connections.Successfully exploiting this issue may allow an attackerrun arbitrary shell commands</strong></p>
<div></div></font></font></font></font>These are only some of the issues and they are fixed in versions 5.2 or later.
<div> </div>
<div>We work with openssh src.rpm and we are interested in getting a version 5.2 or greater src.rpm from Centos. I tried compiling these rpms from openssh source, but was unsuccessful.</div>
<div> </div>
<div>Can anyone thow some light, as to where can I get it or request it, which will work with other centos rpms.</div>
<div> </div>
<div>thanks in advance</div>
<div><br>Thanks<br><br>Nagrik<br></div>