GSI-OpenSSH 4.3, based on OpenSSH 5.0p1, is now available from:
http://grid.ncsa.uiuc.edu/ssh/download.html
This release addresses Globus Security Advisory 2008-01 (see below).
For installation instructions, please see:
http://grid.ncsa.uiuc.edu/ssh/install.html
We appreciate your feedback and help in testing this version. Please use Bugzilla to report GSI-OpenSSH bugs:
http://bugzilla.globus.org/globus/enter_bug.cgi?product=GSI-OpenSSH
GSI-OpenSSH 4.3 major changes:
* Updated to OpenSSH 5.0p1.
* Updated to HPN13v1.
* X11 forwarding is no longer enabled by default in ssh_config.
-------- Original Message -------- Date: Thu, 03 Apr 2008 23:16:41 -0700 From: Jim Basney <jbasney@xxxxxxxxxxxxx> To: security-announce@xxxxxxxxxx
Globus Security Advisory 2008-01: GSI-OpenSSH vulnerability
Original issue date: April 3 2008 Last revised: None
Software affected: Globus Toolkit releases 4.0.0-4.0.7 and 4.1.0-4.1.3
GSI-OpenSSH releases 4.2 and earlier
OpenSSH 4.9 and earlierSpecific packages: gsi_openssh
Note: Globus Toolkit 3.2 and earlier did not include GSI-OpenSSH, but GSI-OpenSSH may have been installed as an add-on package.
Overview:
OpenSSH versions prior to 5.0 contain a locally exploitable security issue that allows hijacking of X11-forwarded connections:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1483
OpenSSH 5.0 was released to address this issue:
http://www.openssh.org/txt/release-5.0
I. Description
OpenSSH versions prior to 5.0 allow local users to hijack forwarded X connections by causing ssh to set DISPLAY even when another process is listening on the associated port. GSI-OpenSSH enables X forwarding by default.
II. Impact
Allows unauthorized disclosure of information, unauthorized modification, and disruption of service by a local attacker.
III. Solution
GSI-OpenSSH 4.3, based on OpenSSH 5.0p1, is available for download from:
http://grid.ncsa.uiuc.edu/ssh/download.html
A GSI patch for OpenSSH 5.0p1 is also available from:
ftp://ftp.globus.org/pub/gsissh/patch/openssh-5.0p1.patch
We recommend upgrading to GSI-OpenSSH 4.3 / OpenSSH 5.0p1.
Upgrade instructions are available at:
http://grid.ncsa.uiuc.edu/ssh/install.html
Use 'gsissh -V' or 'gpt-query gsi_openssh' to determine your installed GSI-OpenSSH version:
$ gsissh -V
OpenSSH_4.2p1-hpn NCSA_GSSAPI_GPT_3.7 GSI, OpenSSL 0.9.7d 17 Mar 2004
$ gpt-query gsi_openssh
1 package was found in /usr/local/gt-4.0.3 that matched your query: packages found that matched your query
gsi_openssh-gcc64dbg-pgm pkg version: 3.7.0 software version:
GSI-OpenSSH 3.7 / OpenSSH 4.2p1To determine the version of a GSI-OpenSSH server, run:
for Bourne shells:
gsissh -v hostname exit 2>&1 | grep "remote software version"
for C shells:
gsissh -v hostname exit |& grep "remote software version"
(replacing hostname with the hostname of the remote server.)To mitigate this issue before upgrading, remove "ForwardX11 yes" from the following files to disable X11 forwarding:
$GLOBUS_LOCATION/etc/ssh/ssh_config
$GLOBUS_LOCATION/etc/ssh/sshd_configSHA1 checksums: 6a43e4a1f7594ee684ba88c408c5d337b338ed86 gsi_openssh-4.3-src.tar.gz 7e750984699c289b0964128153cdc634f0fd1204 gsi_openssh_bundle-4.3-src.tar.gz e782f0b44c7101069ad470d9a4273d9332bac9f4 gsi_openssh_compat-4.3-src.tar.gz 5baa6c2fcca85bbbe8d4bd601d6855f01dbeff4b gsi_openssh_setup-4.3-src.tar.gz
MD5 checksums: 24686ed1d46ce2e52e4c018556b4b164 gsi_openssh-4.3-src.tar.gz 4755f11dbb95804efd01c7f12eebdc5b gsi_openssh_bundle-4.3-src.tar.gz ddc5caca804c5583f1a7ef12350ee2dd gsi_openssh_compat-4.3-src.tar.gz 1c5140f63f86e8fd38e7c2e2da55bb11 gsi_openssh_setup-4.3-src.tar.gz
Attachment:
signature.asc
Description: OpenPGP digital signature