[CentOS] Fwd: Heads up: OpenSSH users

Fri Jan 15 15:31:50 UTC 2016
Johnny Hughes <johnny at centos.org>

On 01/15/2016 08:55 AM, Noam Bernstein wrote:
> I see that this is a CentOS 7 patch only, at least so far.  I also see that the CentOS 6 ssh version is 5.3
> 	> /usr/bin/ssh -V
> 	OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
> which is supposedly not affected. However, strings indicates that /usr/bin/ssh is also aware for the useroaming configuration option:
> 	> strings /usr/bin/ssh | grep -i useroam
> 	useroaming
> Is it actually known that the ssh version shipped with CentOS 6 is not vulnerable, or is it just assumed based on the version number?  The announcement implies that the roaming code itself was added in 5.4, not just that a default was changed, but if that’s really true, why is that string in the binary?



https://bugzilla.redhat.com/show_bug.cgi?id=1298032#c16

(see comment 16)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20160115/06f3867d/attachment-0005.sig>