Hi All,
The GSI-OpenSSH 5.7 source update package is available here:
http://toolkit.globus.org/toolkit/advisories.html?version=6.0
<http://toolkit.globus.org/toolkit/advisories.html?version=6.0>
It is available from the Globus repo for all RPM and Deb platforms.
http://toolkit.globus.org/toolkit/downloads/6.0/
<http://toolkit.globus.org/toolkit/downloads/6.0/>
It has been added to the Mac and Windows installers.
-Stu
> On Jan 14, 2016, at 3:03 PM, Stuart Martin <smar...@mcs.anl.gov> wrote:
>
> Hi All,
>
> On January 14th, a new vulnerability CVE-2016-0777 affecting OpenSSH clients
> was announced. Globus services and client interactions to Globus services
> are not vulnerable.
>
> This affects SSH and GSISSH clients when connecting to a malicious server.
> Globus distributes GSI-OpenSSH, which is based on OpenSSH. As such, we'll be
> applying the security patch for this issue from the OpenSSH developers and
> releasing updated gsi-openssh Globus Toolkit packages.
>
> Note that the system installed ssh package is used by globus-ftp-client based
> tools, such as globus-url-copy, when accessing sshftp:// URLs. If you use
> this feature, you should ensure your ssh package is up to date.
>
> In the meantime, the problem can be avoided by adding the undocumented
> "UseRoaming no" directive to the relevant config files. The default
> system-wide configuration file for ssh is /etc/ssh/ssh_config, and for
> gsissh is /etc/gsissh/ssh_config.
>
> References:
>
> https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt
>
> <https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt>
> http://www.openssh.com/txt/release-7.1p2
> <http://www.openssh.com/txt/release-7.1p2>
> If you have any concerns about this issue, please contact us at
> supp...@globus.org <mailto:supp...@globus.org>.
>
> - Globus Team
