Hello,
I've received this e-mail from my vps provider:
I checked my ssl version and it is an old OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013
I tried to update
But there are not updates for the SSH Client.
How can I update? Is this openssh version insecure?
Thanks
P.S. my operating system is CentOS Linux release 7.1.1503
I've received this e-mail from my vps provider:
Protecting Against CVE-2016-0777 and CVE-2016-0778
Posted: 15 Jan 2016 08:36 AM PST
Overview
A flaw in OpenSSH, discovered and reported by Qualys on Jan. 14, 2016, could potentially allow an information leak (CVE-2016-0777) or buffer overflow (CVE-2016-0778) via the OpenSSH client. Specifically, an undocumented feature called roaming, introduced in OpenSSH version 5.4, can be exploited to expose a client’s private SSH key.
Impact
The roaming feature, which allows clients to reconnect to the server automatically should the connection drop (on servers supporting the feature), can be exploited in the default configuration of OpenSSH clients from versions 5.4 through 7.1p1, but is not supported in the default configuration of the OpenSSH server.
All versions of OpenSSH clients from 5.4 through 7.1p1 are affected for anyone who connects via SSH on the following operating systems:
A connection made from an affected client to a compromised or malicious server which uses an SSH key for authentication potentially could expose all or part of the user’s private SSH key.
If the key utilized to authenticate the connection is encrypted, only the encrypted private key could be exposed. However, a malicious party could attempt to brute-force the password offline after obtaining the encrypted key.
Is Your SSH Client Vulnerable?
You can check the version of your SSH client by running the following command:
ssh -V
That will produce output similar to:
workstation$ $ ssh -V
OpenSSH_7.1p2, OpenSSL 1.0.2e 3 Dec 2015
If the version is below 7.1p2, the SSH client is affected.
Posted: 15 Jan 2016 08:36 AM PST
Overview
A flaw in OpenSSH, discovered and reported by Qualys on Jan. 14, 2016, could potentially allow an information leak (CVE-2016-0777) or buffer overflow (CVE-2016-0778) via the OpenSSH client. Specifically, an undocumented feature called roaming, introduced in OpenSSH version 5.4, can be exploited to expose a client’s private SSH key.
Impact
The roaming feature, which allows clients to reconnect to the server automatically should the connection drop (on servers supporting the feature), can be exploited in the default configuration of OpenSSH clients from versions 5.4 through 7.1p1, but is not supported in the default configuration of the OpenSSH server.
All versions of OpenSSH clients from 5.4 through 7.1p1 are affected for anyone who connects via SSH on the following operating systems:
- Linux
- FreeBSD
- Mac OS X
- Windows when using OpenSSH for Windows
- OpenSSH servers in default configuration
- Windows users utilizing PuTTY to connect
- Connections not authenticated via an SSH key
A connection made from an affected client to a compromised or malicious server which uses an SSH key for authentication potentially could expose all or part of the user’s private SSH key.
If the key utilized to authenticate the connection is encrypted, only the encrypted private key could be exposed. However, a malicious party could attempt to brute-force the password offline after obtaining the encrypted key.
Is Your SSH Client Vulnerable?
You can check the version of your SSH client by running the following command:
ssh -V
That will produce output similar to:
workstation$ $ ssh -V
OpenSSH_7.1p2, OpenSSL 1.0.2e 3 Dec 2015
If the version is below 7.1p2, the SSH client is affected.
I checked my ssl version and it is an old OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013
I tried to update
Code:
yum clean all && yum updateHow can I update? Is this openssh version insecure?
Thanks
P.S. my operating system is CentOS Linux release 7.1.1503
