I would recommend that you check for OpenSSH CVEs in the IBM Z Systems Security Portal, and if not covered then open a PMR.
Sadly, security departments don't always consider that there are very often workarounds for OpenSSH CVEs or reasons that they don't apply to your installation. For example, consider the ones just mentioned: CVE-2016-10010 only applies to if you are running without privilege separation in SSHD. "UsePrivilegeSeparation=no" has been discouraged for over 10 years and the default is "yes". If you have set it to "no", then you shouldn't worry with CVEs :-). OpenSSH 7.5 completely removes support for UsePrivilegeSeparation=no. CVE-2016-10012 applies when you have Compression=yes enabled in sshd. If you use Compression="no" or "delayed", then this one would not apply. If you need compression and your ssh clients support delayed compression (which is common for all but really old products), then this is preferred. In later versions of OpenSSH (like 7.4 and later), sshd doesn't even support pre-authorization compression. So again, you can effectively implement the 7.4 "fix" now by setting Compression to "no" or "delayed". Finally: it should be noted that considering what OpenSSH does and it's widespread use, serious CVEs are rare, especially compared to something like SSL/TLS (OpenSSL, etc) which has a storied history of critical security bugs. Kirk Wolf Dovetailed Technologies http://dovetail.com PS> "PrivilegeSeparation" (2002) OpenSSH is some top-notch software engineering. Here's a 12 year old presentation: https://www.openbsd.org/papers/openssh-measures-asiabsdcon2007-slides.pdf On Fri, Apr 12, 2019 at 7:13 PM Andrew Rowley <and...@blackhillsoftware.com> wrote: > > As far as I can see those CVEs also apply to 6.4p1. How would you go > about verifying that they had been fixed in z/OS ssh? Suggesting that > their existence means that 7.4 is insecure (more so than 6.4p1) seems > very misleading to me. > > Looking at the CVE list, I can guess that the security team might be > interested in the more severe CVEs applying to ssh before 7.4, e.g. > CVE-2016-10010, CVE-2016-10012. How would you verify that the fixes are > applied to z/OS 6.4p1? (Reading between the lines the changes sound > significant enough to make backporting unlikely.) > > Andrew Rowley > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
