 |
 |
Maarten Litmaath <[log in to unmask]> writes: > Leif Nixon wrote: > >> The gsissh version in LCG 2.6.0, a.k.a. gsiopenssh-VDT1.2.2rh9-1, >> seems to be based on an openssh version called OpenSSH_3.6.1p2-CERN20030917, > > I do not think so: > > $ strings -a /opt/globus/bin/gsissh | grep -i cern > $ gsissh -V > OpenSSH_3.8.1p1 NCSA_GSSAPI_3.4 GSI, OpenSSL 0.9.6m 17 Mar 2004 Duh. My mistake. I managed to look at the version string for the ordinary ssh client, not gsissh. Sorry. And since that is the official ssh client, I guess 20030917 is OK. >> And given that the build date of the RPM is "Mon 16 Feb 2004", how >> up-to-date is the GSI patch used? > > I know of no OpenSSL security advisory that would be relevant to our usage > of OpenSSL. I'm not talking about OpenSSL, I'm talking about NCSA:s GSI patch for OpenSSH. Version 3.3 and earlier of the patch has a nasty security hole. However, since you kindly pointed me to the correct version string, the LCG gsissh version seems to use version 3.4 of the patch, so that should also be OK, then. But it's still a bit strange, because version 3.4 wasn't released until July 13, 2004, and the gsiopenssh RPM build date is February 16. That's what had me worried in the first place. -- Leif Nixon - Systems expert ------------------------------------------------------------ National Supercomputer Centre - Linkoping University ------------------------------------------------------------