[CentOS] openssh rpm version greater than 4.3

Wed Aug 3 21:46:01 UTC 2011
John R. Dennison <jrd at gerdesas.com>

On Wed, Aug 03, 2011 at 02:17:36PM -0700, Vinay Nagrik wrote:
> Hello Team,
> 
> We ship our own software own top of Centos 5.2 OS and install other
> applications and rpms on top of rpms available in 5.2 Centos.

Why in the world are you running 5.2?  That's so ridiculously old and
insecure a 5 year old can crack it if it's exposed to the 'net.

Are you quite sure you're running CentOS-5.2?  What does "rpm -q
centos-release" return?

> We are in the process of upgrading to a later  version of openssh (5.8
> version of openssh is already available), however the latest src.rpm version
> of openssh available on Centos site is still
> 
> openssh-4.3p2-72.el5_6.3.src.rpm<http://oss.oracle.com/el5/SRPMS-updates/openssh-4.3p2-72.el5_6.3.src.rpm>

You're worried about openssh when you're possibly running C5.2?  Really?

That's not a CentOS site; that's Oracle.

> Which is a 4.3 and not anything in 5.x.
> 
> The reason we want to do it because there are many vulnerabilities in older
> versions of openssh.  Few are listed below.

You might not be familiar with Redhat (and therefore CentOS) backporting
practices.  Please have a read of:

https://access.redhat.com/security/updates/backporting/?sc_cid=3093

> -* A signal handler race condition in OpenSSH before Version 4.4 can be
> exploited to cause a crash, and possibly execute arbitrary code if
> GSSAPI **authentication
> is enabled, via unspecified vectors that lead to a double-free. (CVE-2006-50

Fixed: Tue Apr 03 2007 Tomas Mraz <tmraz at redhat.com> - 4.3p2-21

> **- A denial of service vulnerability exists in sshd in OpenSSH before
> Version 4.4, when using the SSH protocol Version 1, because it does
> not**properly
> handle duplicate incoming blocks. This can be exploited by a remote attacker
> to cause sshd to consume a large quantity of CPU resources. **
> (CVE-2006-4924)*

Fixed: * Mon Oct 02 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-10

> *OpenSSH is prone to a plain text recovery attack. The issue is in the SSH
> protocol specification itself and exists in Secure Shell (SSH) software**when
> used with CBC-mode ciphers.*

No CVE to reference but is likely this CVE and the associated fix:

* Tue May 26 2009 Jan F. Chadima <jchadima at redhat.com> - 4.3p2-35
- workaround to plaintext recovery attack against CBC ciphers
CVE-2008-5161 (#502230)

> *OpenSSH is prone to a vulnerability that allows attackers to hijack
> forwarded X connections.Successfully exploiting this issue may allow an
> attackerrun arbitrary shell commands*

No CVE to reference and there are a few possible patch candidates for
this description.

> These are only some of the issues and they are fixed in versions 5.2 or
> later.

They are almost assuredly fixed in that which Redhat and CentOS ship.

By the way, above information retrieved via "rpm -q --changelog
openssh-server".

> We work with openssh src.rpm and we are interested in getting a version 5.2
> or greater src.rpm from Centos.   I tried compiling these rpms from openssh
> source, but was unsuccessful.

Compiling from source is in almost all cases the improper solution.

(And for the argumentative in the audience please save me the diatribe
about building from source, this is a package managed distro, if you
MUST build do so as native packages.)

> Can anyone thow some light, as to where can I get it or request it, which
> will work with other centos rpms.

See above comments.  The CVEs you reference have been fixed for /years/;
those issues you didn't provide a CVE for are also assuredly resolved as
well.

You may wish to _strongly_ consider updating your box.




							John
-- 
There's only one way to have a happy marriage and as soon as I learn what it
is I'll get married again.

-- Clint Eastwood
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20110803/ae247ac8/attachment-0005.sig>