Leif Nixon wrote:
> Hi,
>
> The gsissh version in LCG 2.6.0, a.k.a. gsiopenssh-VDT1.2.2rh9-1,
> seems to be based on an openssh version called OpenSSH_3.6.1p2-CERN20030917,
I do not think so:
$ strings -a /opt/globus/bin/gsissh | grep -i cern
$ gsissh -V
OpenSSH_3.8.1p1 NCSA_GSSAPI_3.4 GSI, OpenSSL 0.9.6m 17 Mar 2004
> which also appears as the recommended version on
>
> http://security.web.cern.ch/security/ssh/ssh_faq.html
>
> Can someone confirm that this indeed still is the recommended version?
> It's just that "20030917" feels a bit elderly...
>
> And given that the build date of the RPM is "Mon 16 Feb 2004", how
> up-to-date is the GSI patch used?
I know of no OpenSSL security advisory that would be relevant to our usage
of OpenSSL.
|