Hi All, I fount following text on internet. 5161: Error handling in the SSH protocol in (1) SSH Tectia Client and Server and Connector 4.0 through 4.4.11, 5.0 through 5.2.4, and 5.3 through 5.3.8; Client and Server and ConnectSecure 6.0 through 6.0.4; Server for Linux on IBM System z 6.0.4; Server for IBM z/OS 5.5.1 and earlier, 6.0.0, and 6.0.1; and Client 4.0-J through 4.3.3-J and 4.0-K through 4.3.10-K; and (2) OpenSSH 4.7p1 and possibly other versions, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors. 1483: OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs. Are these vulnerabilities applicable on Openssh 6.2p version? Do we need to patch these in 6.2p. Regards Abhishek On Mon, Mar 14, 2016 at 12:31 PM, abhi dhiman <abhi.dhiman83@xxxxxxxxx> wrote: > Hi All, > > Please direct me to the code changes for above vulnerabilities. > We don't have a vendor but we use Openssh in our software. So can't > upgrade it right now. > > Regards > Abhishek > > On Tue, Mar 8, 2016 at 7:08 PM, Martin Hecht <hecht@xxxxxxx> wrote: > >> >> Was that ssh shipped with your OS distribution? If yes, it might already >> be patched if you have installed the OS security patches. Check with >> your OS vendor. >> >> On 03/08/2016 02:19 PM, abhi dhiman wrote: >> > Hi Gert, >> > >> > Thanks for your reply. >> > >> > But we can't upgrade to 7.2 version also we don't have plan to upgrade >> in >> > near future. Can I fix these vulnerabilities in the current version? >> > >> > Regards >> > Abhishek >> > >> > On Tue, Mar 8, 2016 at 6:42 PM, Gert Doering <gert@xxxxxxxxxxxxxx> >> wrote: >> > >> >> Hi, >> >> >> >> On Tue, Mar 08, 2016 at 06:14:01PM +0530, abhi dhiman wrote: >> >>> Actually I am working with the OpenSSH version 6.2p which is >> vulnerable >> >> to >> >>> above mentioned vulnerabilities. >> >>> >> >>> So am looking for some help how I can fix these vulnerabilities in my >> >>> version. I need to fix it in the OpenSSH code. >> >> "Upgrade to 7.2"? >> >> >> >> gert >> >> -- >> >> USENET is *not* the non-clickable part of WWW! >> >> // >> >> www.muc.de/~gert/ >> >> Gert Doering - Munich, Germany >> >> gert@xxxxxxxxxxxxxx >> >> fax: +49-89-35655025 >> >> gert@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> >> >> > >> > >> >> >> > > > -- > abhi~dhiman > -- abhi~dhiman _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
