I see that this is a CentOS 7 patch only, at least so far. I also see that the
CentOS 6 ssh version is 5.3
> /usr/bin/ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
which is supposedly not affected. However, strings indicates that /usr/bin/ssh
is also aware for the useroaming configuration option:
> strings /usr/bin/ssh | grep -i useroam
useroaming
Is it actually known that the ssh version shipped with CentOS 6 is not
vulnerable, or is it just assumed based on the version number? The
announcement implies that the roaming code itself was added in 5.4, not just
that a default was changed, but if that’s really true, why is that string in
the binary?
Noam
P.S. I do realize this is a question better directed to RedHat, but I’m hoping
someone here might still know.
> On Jan 15, 2016, at 9:39 AM, Johnny Hughes <joh...@centos.org> wrote:
>
> For the record, this update is now released (it was yesterday):
>
> https://lists.centos.org/pipermail/centos-announce/2016-January/021614.html
>
> This contains a patch that disables roaming:
> https://git.centos.org/commitdiff/rpms!openssh.git/1edce7e6bfedb27a163f35bcacab620a703408ac
>
> Thanks,
> Johnny Hughes
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
