Hi,

I did a security check using securitymetrics and reveals some boring issues that need to be rectified asap. I am wondering if anyone could post a tested howto for upgrading openssh 3.1p1-6 to the latest version (or version higher than 3.4) , preferably workable on a RH7.2 box running Ensim 3.1.4-1

I had searched this forum and read that some issues like whether the howto is tested on virtual domains and so forth ..hence preventing me from trying that as I am still very new to managing this box and couldnt afford to make any errors.

Please help.


Below is my not so exciting report from securitymetrics :

You are running a version of OpenSSH which is older than 3.4. There is a flaw in this version that can be exploited remotely to give an attacker a shell on this host. Note that several distributors have patched this hole without changing the version number of OpenSSH. Since the test server solely relied on the banner of the remote SSH server to perform this check, this might be a false positive. If you are running a RedHat host, make sure that the command : rpm -q openssh-server Returns : openssh-server-3.1p1-6.

Solution : Upgrade to OpenSSH 3.4 or contact your vendor for a patch Risk Factor : High CVE : CAN-2002-0639

You are running a version of OpenSSH older than OpenSSH 3.2.1 A buffer overflow exists in the daemon if AFS is enabled on your system, or if the options KerberosTgtPassing or AFSTokenPassing are enabled. Even in this scenario, the vulnerability may be avoided by enabling UsePrivilegeSeparation. Versions prior to 2.9.9 are vulnerable to a remote root exploit. Versions prior to 3.2.1 are vulnerable to a local root exploit.

Solution : Upgrade to the latest version of OpenSSH Risk Factor : High CVE : CAN-2002-0575

If I'm not mistaken, Open SSH has been modified for Ensim and can't be upgraded unless it's an Ensim type of upgrade.

Cajun

Hi cajun,

That's what I have been reading in this forum and ensim forum. Everythings within ensim are more or less modified. Though good in a way, but may or may not be as good either, esp. for those of us who may wanna tried up2date but after reading some notes online, retracted the idea coz' some updates may conflicted with Ensim.

Hence, I would wonder if anyone could set up something that could round up what can be upgrade safely for 7.1 or 7.2 to work with Ensim 3.1.x so that we will not be searching high and low ..from forum to forum , just trying to make confirm before we proceed with upgrading modules for an ensim box. I believe many encounters this problem ..

hmm.. wondering am I only the only one facing this problem..

That sounds like a good idea. I'm going to see if I can make a list of stuff that can be upgraded and what can't.

Cajun

http://onlinesupport.ensim.com/TWKB/Viewca...sp?QSRuleID=640

Maybe eventually, if someone could start a thread that could collect what can be done and what ought not to be done on ensim .. probably that will benefits many of us doing ensim now. Somehow it is a better , more centralised place that ensim administrators could contribute what can and tested and what couldn't .. as the current situation is too scattered and many will find it difficult to derive a conclusion.

wondering how many think the same way. ..hmm

With regards to TMX post, I took a glance and noticed that openssh does not falls in the category that couldn't be upgrade, hence wondering if anybody running RH7.2 and running ensim 3.1.4 has successfully upgrade ur openssh 3.1 to version 3.4 ?

* successfully in a way that is fully tested/verified.

There is no need to upgrade it, it has been done and can safely be done if you know all of the commands, I believe there was a how to floating around here, but as has been stated, all security holes have been fixed in the version running now.. Mouse

In other words:
Redhat patched the old 3.1 version of openssh code to close the holes and called it 3.1p1-6

I guess the reason they did this was related to software compatibility. However, the net effect is to attract script kiddies who think they have found a vulnerable system... Oh well