Fw: version question

[Nico Kadel-Garcia]

On Thu, Nov 20, 2014 at 10:19 PM, Damien Miller <djm at mindrot.org> wrote:
> On Thu, 20 Nov 2014, Nico Kadel-Garcia wrote:

>> A bit more digging shows that the HeartBleed bug apparently never
>> applied to 0.9.8 versions of OpenSSL, the version used in RHEL 5, so
>> that shouldn't be an issue there. OpenSSH version 6.6 was indeed,
>> compatible with that older OpenSSL on RHEL 5, I even just tested its
>> basic functionalit, so I assume it's not a major API incompatibility
>> introduced with OpenSSH 6.7p1.
>
> It has nothing to do with heartbleed - that is an SSL bug that doesn't
> affect OpenSSH at all.
>
> OpenSSL made a small API change in their 0.9.8 stable series that we
> previously carried a compat hack for. The impact of not having this hack
> is that EVP_CIPHER_CTX_key_length() returns an incorrect length. This
> could cause connection problems or possibly insecurity in sshd.

Interesting, and thank you.  I'm not sure how I got it built and
tested in RHEL 5 without seeing that, I don't have a record of
touching configure.ac, but I might have done so in the testing setup.
That wasn't evident from the git log for the check in openbsd-compat.h
was patched, but that's the *second* check: the one in configure.ac is
much better labeled, as well one might expect from a well written
check..

I do see openssl 1.0.1 available for RHEL 5 over at
ftp://ftp.pramberger.at/systems/linux/contrib/rhel5. Might be worth
checking out, if anyone *really* needs OpenSSH 6.7p1 for RHEL 5. As
nice as it is of that packer to make, I'd personally want to review
the SRPM and build locally, rather than simply deploying from an
unfamiliar 3rd party repositor for software as security sensitive as
OpenSSL.

Personally, if I were David, the original posterr, I'd consider this
another reason to upgrade to CentOS 6 or CentOS 7. CentOS 5 is now 7
years old, and this kind of backporting gets more and more painful
over time.