Hello Team,
We ship our own software own top of Centos 5.2 OS and install other applications and rpms on top of rpms available in 5.2 Centos.
We are in the process of upgrading to a later version of openssh (5.8 version of openssh is already available), however the latest src.rpm version of openssh available on Centos site is still
openssh-4.3p2-72.el5_6.3.src.rpmhttp://oss.oracle.com/el5/SRPMS-updates/openssh-4.3p2-72.el5_6.3.src.rpm
Which is a 4.3 and not anything in 5.x.
The reason we want to do it because there are many vulnerabilities in older versions of openssh. Few are listed below.
-* A signal handler race condition in OpenSSH before Version 4.4 can be exploited to cause a crash, and possibly execute arbitrary code if GSSAPI **authentication is enabled, via unspecified vectors that lead to a double-free. (CVE-2006-50 **- A denial of service vulnerability exists in sshd in OpenSSH before Version 4.4, when using the SSH protocol Version 1, because it does not**properly handle duplicate incoming blocks. This can be exploited by a remote attacker to cause sshd to consume a large quantity of CPU resources. ** (CVE-2006-4924)*
*OpenSSH is prone to a plain text recovery attack. The issue is in the SSH protocol specification itself and exists in Secure Shell (SSH) software**when used with CBC-mode ciphers.*
*OpenSSH is prone to a vulnerability that allows attackers to hijack forwarded X connections.Successfully exploiting this issue may allow an attackerrun arbitrary shell commands* These are only some of the issues and they are fixed in versions 5.2 or later.
We work with openssh src.rpm and we are interested in getting a version 5.2 or greater src.rpm from Centos. I tried compiling these rpms from openssh source, but was unsuccessful.
Can anyone thow some light, as to where can I get it or request it, which will work with other centos rpms.
thanks in advance
Thanks
Nagrik
Vinay Nagrik wrote:
Hello Team,
Well, we're not your team, but...
We ship our own software own top of Centos 5.2 OS and install other applications and rpms on top of rpms available in 5.2 Centos.
Why 5.2? There's 5.6, and 6 out, though the latter is missing a number of things (for example, I'm busy trying to get mplayer and motion to work).
We are in the process of upgrading to a later version of openssh (5.8 version of openssh is already available), however the latest src.rpm version of openssh available on Centos site is still
openssh-4.3p2-72.el5_6.3.src.rpmhttp://oss.oracle.com/el5/SRPMS-updates/openssh-4.3p2-72.el5_6.3.src.rpm
As it is in upstream. For 5.4 openssh and above, you need to compile it yourself, as we have had to do, so as to work with PIV-II cards from the US gov't. d/l the tarball from the project site and do the usual, then consider rpmorize to build it into a distributable package from your own repository. <snip> mark
On Wed, 2011-08-03 at 17:26 -0400, m.roth@5-cent.us wrote:
Vinay Nagrik wrote:
Hello Team,
Well, we're not your team, but.
Yes we are. We, collectively, are the Centos Supporters Team - a world wide association of happy Centos users ;-)
By the way KB what happened to the Tee-shirt offer ?
On Wed, Aug 03, 2011 at 02:17:36PM -0700, Vinay Nagrik wrote:
Hello Team,
We ship our own software own top of Centos 5.2 OS and install other applications and rpms on top of rpms available in 5.2 Centos.
Why in the world are you running 5.2? That's so ridiculously old and insecure a 5 year old can crack it if it's exposed to the 'net.
Are you quite sure you're running CentOS-5.2? What does "rpm -q centos-release" return?
We are in the process of upgrading to a later version of openssh (5.8 version of openssh is already available), however the latest src.rpm version of openssh available on Centos site is still
openssh-4.3p2-72.el5_6.3.src.rpmhttp://oss.oracle.com/el5/SRPMS-updates/openssh-4.3p2-72.el5_6.3.src.rpm
You're worried about openssh when you're possibly running C5.2? Really?
That's not a CentOS site; that's Oracle.
Which is a 4.3 and not anything in 5.x.
The reason we want to do it because there are many vulnerabilities in older versions of openssh. Few are listed below.
You might not be familiar with Redhat (and therefore CentOS) backporting practices. Please have a read of:
https://access.redhat.com/security/updates/backporting/?sc_cid=3093
-* A signal handler race condition in OpenSSH before Version 4.4 can be exploited to cause a crash, and possibly execute arbitrary code if GSSAPI **authentication is enabled, via unspecified vectors that lead to a double-free. (CVE-2006-50
Fixed: Tue Apr 03 2007 Tomas Mraz tmraz@redhat.com - 4.3p2-21
**- A denial of service vulnerability exists in sshd in OpenSSH before Version 4.4, when using the SSH protocol Version 1, because it does not**properly handle duplicate incoming blocks. This can be exploited by a remote attacker to cause sshd to consume a large quantity of CPU resources. ** (CVE-2006-4924)*
Fixed: * Mon Oct 02 2006 Tomas Mraz tmraz@redhat.com - 4.3p2-10
*OpenSSH is prone to a plain text recovery attack. The issue is in the SSH protocol specification itself and exists in Secure Shell (SSH) software**when used with CBC-mode ciphers.*
No CVE to reference but is likely this CVE and the associated fix:
* Tue May 26 2009 Jan F. Chadima jchadima@redhat.com - 4.3p2-35 - workaround to plaintext recovery attack against CBC ciphers CVE-2008-5161 (#502230)
*OpenSSH is prone to a vulnerability that allows attackers to hijack forwarded X connections.Successfully exploiting this issue may allow an attackerrun arbitrary shell commands*
No CVE to reference and there are a few possible patch candidates for this description.
These are only some of the issues and they are fixed in versions 5.2 or later.
They are almost assuredly fixed in that which Redhat and CentOS ship.
By the way, above information retrieved via "rpm -q --changelog openssh-server".
We work with openssh src.rpm and we are interested in getting a version 5.2 or greater src.rpm from Centos. I tried compiling these rpms from openssh source, but was unsuccessful.
Compiling from source is in almost all cases the improper solution.
(And for the argumentative in the audience please save me the diatribe about building from source, this is a package managed distro, if you MUST build do so as native packages.)
Can anyone thow some light, as to where can I get it or request it, which will work with other centos rpms.
See above comments. The CVEs you reference have been fixed for /years/; those issues you didn't provide a CVE for are also assuredly resolved as well.
You may wish to _strongly_ consider updating your box.
John
On Wed, Aug 3, 2011 at 4:17 PM, Vinay Nagrik vnagrik@gmail.com wrote:
The reason we want to do it because there are many vulnerabilities in older versions of openssh. Few are listed below.
Have you checked these against the rh security database? I'd be willing to bet that they've all been addressed via backported security fixes.
You should probably read over https://access.redhat.com/security/updates/backporting/?sc_cid=3093
and then search the CVE's against
http://www.redhat.com/security/data/cve/
-
Always Learning -
Jim Perrin -
John R. Dennison -
m.roth@5-cent.us -
Vinay Nagrik