AIX 5.8p1?

Sun Sep 23 02:32:29 EST 2012

On 2012-09-20 21:22, Darren Tucker wrote:
> On Thu, Sep 20, 2012 at 11:14:16PM -0400, Ty Haller wrote:
>> I will contact them.
>>
>> However it seems that IBM just publishes binaries built from the regular
>> OpenSSH sources.
> I can't speak to what they currently do, however in the past they did
> modify the code.

IBM routinely "waits for releases to become stable", so they're typically at least a couple revs behind at any given time.  You'd think they'd apply any available patches at build time, but I've seen no evidence of it at this end after their three 5.0p1 releases.  The one 5.8 bundle they've released behaves like a stock 5.8p1 build (so far - haven't done a full vuln test on it, just finished doing all the 6.1 builds).

Vendor slow release cycles, and the question of back-ported patches are the major reasons I've been building update packages from source for internal distribution at work - to try and stay ahead of corporate "vulnerability scanners" that determine system vulnerabilities purely on the basis of a version string at connect. Red Hat are you listening?

>> They list their latest version as being built with OpenSSH 5.8p1. My
>> question is does version 5.8p1 address the mentioned vulnerabilities?
> For the stock 5.8p1, no.
>
> The fix for CVE-2011-5000 first appeared in 5.9p1
> http://anoncvs.mindrot.org/index.cgi/openssh/gss-serv.c?r1=1.24&r2=1.25
>
> CVE-2010-4755 only lets a client DoS itself:
> http://lists.mindrot.org/pipermail/openssh-unix-dev/2011-March/029429.html

The IBM release of 5.8 appears to be vulnerable to both of these (assuming I tested and understood the results correctly). If IBM's histrorical release cycles are used as a gauge (anywhere from 6-10 months after every other source releases; e.g. 5.0, 5.2, 5.4, 5.6, 5.8) - the next SSH bundle will be 6.0, and won't probably release any sooner than the end of this year. I'd say it's either time to build from source, or get IBM to commit to a relase date (HA!) if you're looking to address a security audit finding.

>> I would expect those kinds of fixes to come straight from OpenSSH.
> Vendors often backport security fixes without bumping the major version.
>

Red Hat is notorious for this, IBM has historically been pretty good about their SSH/SSL bundles - the versioning of those patckages matches consistantly with the documented binary heaviours.