Hi All, The GSI-OpenSSH 5.7 source update package is available here: http://toolkit.globus.org/toolkit/advisories.html?version=6.0 <http://toolkit.globus.org/toolkit/advisories.html?version=6.0>
It is available from the Globus repo for all RPM and Deb platforms. http://toolkit.globus.org/toolkit/downloads/6.0/ <http://toolkit.globus.org/toolkit/downloads/6.0/> It has been added to the Mac and Windows installers. -Stu > On Jan 14, 2016, at 3:03 PM, Stuart Martin <smar...@mcs.anl.gov> wrote: > > Hi All, > > On January 14th, a new vulnerability CVE-2016-0777 affecting OpenSSH clients > was announced. Globus services and client interactions to Globus services > are not vulnerable. > > This affects SSH and GSISSH clients when connecting to a malicious server. > Globus distributes GSI-OpenSSH, which is based on OpenSSH. As such, we'll be > applying the security patch for this issue from the OpenSSH developers and > releasing updated gsi-openssh Globus Toolkit packages. > > Note that the system installed ssh package is used by globus-ftp-client based > tools, such as globus-url-copy, when accessing sshftp:// URLs. If you use > this feature, you should ensure your ssh package is up to date. > > In the meantime, the problem can be avoided by adding the undocumented > "UseRoaming no" directive to the relevant config files. The default > system-wide configuration file for ssh is /etc/ssh/ssh_config, and for > gsissh is /etc/gsissh/ssh_config. > > References: > > https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt > > <https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt> > http://www.openssh.com/txt/release-7.1p2 > <http://www.openssh.com/txt/release-7.1p2> > If you have any concerns about this issue, please contact us at > supp...@globus.org <mailto:supp...@globus.org>. > > - Globus Team