Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: toby on September 20, 2003, 07:36:14 AM

Title: Manually update SSH flaw in 5.5?
Post by: toby on September 20, 2003, 07:36:14 AM

Since 5.5 is no longer supported can you manually apply patches to the SSH vulnerability if you have a number of machines that you are not yet in the position to upgrade. (A couple of our machines are on 5.5 due to issues with mirroring and the 845 chipset on 5.6 and i am not keen to go to 6.0u3). I presume that with the kernel being also a 2.2 variant that on 5.5 you could just run the following:

e-smith-openssh-1.8.1-02.noarch.rpm
openssh-3.7.1p1-1es2.i386.rpm
openssh-server-3.7.1p1-1es2.i386.rpm
openssh-clients-3.7.1p1-1es2.i386.rpm

If there are dependency issues is there another way around it?

Toby

Title: Re: Manually update SSH flaw in 5.5?
Post by: Chris Parker on September 20, 2003, 01:24:33 PM

I would be interested in this also :-)

Title: Re: Manually update SSH flaw in 5.5?
Post by: Robert on September 20, 2003, 04:08:57 PM

Before you do anything else, disable external access to ssh if you hadn't done so already. Then you can start thinking about your update options. I have no idea if the rpms you mention cause any dependency errors on 5.5, but you can find out by doing
rpm -Uvh --test whatever
If there are dependency errors, your other option is to install the openssh updates for Red Hat 7.2. This does not require an update of e-smith-openssh, as configuration options should be compatible between minor version upgrades.

Title: Re: Manually update SSH flaw in 5.5?
Post by: Chris Parker on September 20, 2003, 07:05:20 PM

I have killed my ext ssh already :-) I think I will wait for 6 final and then do the upgrade.

With regards to this vulnerability, if I was to enable ssh just for my ip @ work, would I still be open to this vulnerability? I should be safe shouldn't i?

Title: Re: Manually update SSH flaw in 5.5?
Post by: Drew on September 20, 2003, 07:26:58 PM

I have 5.5 Update 3 installed, and I just downloaded the 4 files listed and ran 'rpm -Uvh *.rpm' against that folder.  I did not get any dependency errors.  I restarted ssh daemon and then checked if everything seemed to be working.  It does.  So I don't know why these ssh updates can't be run against 5.5 systems.  Am I missing something here?

Title: Re: Manually update SSH flaw in 5.5?
Post by: Toby on September 22, 2003, 11:29:10 AM

I'll have a go also and let you know how i go. I left SME ssh open and locked the port on my Cisco router in the interim Chris.....had no real plan to advertise myself on a forum and then leave it open ;-)

Title: Re: Manually update SSH flaw in 5.5?
Post by: Byron on September 26, 2003, 01:08:47 AM

I had success updating 5.5 with these Redhat packages.
ftp://updates.redhat.com/7.2/en/os/i386/openssh-3.1p1-14.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/openssh-clients-3.1p1-14.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/openssh-server-3.1p1-14.i386.rpm

No dependancy problems were discovered.