Re: Fw: version question

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



    Thanks for the responses. I ended up editing our Openssh install script
so it will check Red Hat versions and install 6.6p1 on Red Hat 5 and 6.7p1
on 6 and 7 systems.


David Flatley





From:	Damien Miller <djm@xxxxxxxxxxx>
To:	Nico Kadel-Garcia <nkadel@xxxxxxxxx>,
Cc:	David Flatley/Burlington/IBM@IBMUS,
            "openssh-unix-dev@xxxxxxxxxxx" <openssh-unix-dev@xxxxxxxxxxx>
Date:	11/20/2014 10:19 PM
Subject:	Re: Fw: version question



On Thu, 20 Nov 2014, Nico Kadel-Garcia wrote:

> On Thu, Nov 20, 2014 at 9:31 PM, Damien Miller <djm@xxxxxxxxxxx>
> wrote: > On Wed, 19 Nov 2014, Nico Kadel-Garcia wrote: > >> Use
> 6.6p1, or consider patching the check for openssl version in >>
> openbsd-compat/openssl-compat.h to ignore the failure, on the basis >>
> that RHEL has been backporting patches to openssl for RHEL 5.. > > Do
> you understand why that check exists in the first place?
>
> That's why I asked.

Maybe you should ask _before_ recommending people disable checks in
their security software.

> A bit more digging shows that the HeartBleed bug apparently never
> applied to 0.9.8 versions of OpenSSL, the version used in RHEL 5, so
> that shouldn't be an issue there. OpenSSH version 6.6 was indeed,
> compatible with that older OpenSSL on RHEL 5, I even just tested its
> basic functionalit, so I assume it's not a major API incompatibility
> introduced with OpenSSH 6.7p1.

It has nothing to do with heartbleed - that is an SSL bug that doesn't
affect OpenSSH at all.

OpenSSL made a small API change in their 0.9.8 stable series that we
previously carried a compat hack for. The impact of not having this hack
is that EVP_CIPHER_CTX_key_length() returns an incorrect length. This
could cause connection problems or possibly insecurity in sshd.

-d



_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux