Thanks for the responses. I ended up editing our Openssh install script
so it will check Red Hat versions and install 6.6p1 on Red Hat 5 and 6.7p1
on 6 and 7 systems.
David Flatley
From: Damien Miller <djm@xxxxxxxxxxx>
To: Nico Kadel-Garcia <nkadel@xxxxxxxxx>,
Cc: David Flatley/Burlington/IBM@IBMUS,
"openssh-unix-dev@xxxxxxxxxxx" <openssh-unix-dev@xxxxxxxxxxx>
Date: 11/20/2014 10:19 PM
Subject: Re: Fw: version question
On Thu, 20 Nov 2014, Nico Kadel-Garcia wrote:
> On Thu, Nov 20, 2014 at 9:31 PM, Damien Miller <djm@xxxxxxxxxxx>
> wrote: > On Wed, 19 Nov 2014, Nico Kadel-Garcia wrote: > >> Use
> 6.6p1, or consider patching the check for openssl version in >>
> openbsd-compat/openssl-compat.h to ignore the failure, on the basis >>
> that RHEL has been backporting patches to openssl for RHEL 5.. > > Do
> you understand why that check exists in the first place?
>
> That's why I asked.
Maybe you should ask _before_ recommending people disable checks in
their security software.
> A bit more digging shows that the HeartBleed bug apparently never
> applied to 0.9.8 versions of OpenSSL, the version used in RHEL 5, so
> that shouldn't be an issue there. OpenSSH version 6.6 was indeed,
> compatible with that older OpenSSL on RHEL 5, I even just tested its
> basic functionalit, so I assume it's not a major API incompatibility
> introduced with OpenSSH 6.7p1.
It has nothing to do with heartbleed - that is an SSL bug that doesn't
affect OpenSSH at all.
OpenSSL made a small API change in their 0.9.8 stable series that we
previously carried a compat hack for. The impact of not having this hack
is that EVP_CIPHER_CTX_key_length() returns an incorrect length. This
could cause connection problems or possibly insecurity in sshd.
-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
