Hi,
"Upgrade to 7.2"?

gert

Hi Gert,

Thanks for your reply.

But we can't upgrade to 7.2 version also we don't have plan to upgrade in
near future. Can I fix these vulnerabilities in the current version?

Regards
Abhishek

Was that ssh shipped with your OS distribution? If yes, it might already
be patched if you have installed the OS security patches. Check with
your OS vendor.

Hi All,

Please direct me to the code changes for above vulnerabilities.
We don't have a vendor but we use Openssh in our software. So can't upgrade
it right now.

Regards
Abhishek

Hi All,

I fount following text on internet.

5161:

Error handling in the SSH protocol in (1) SSH Tectia Client and Server and
Connector 4.0 through 4.4.11, 5.0 through 5.2.4, and 5.3 through 5.3.8;
Client and Server and ConnectSecure 6.0 through 6.0.4; Server for Linux on
IBM System z 6.0.4; Server for IBM z/OS 5.5.1 and earlier, 6.0.0, and
6.0.1; and Client 4.0-J through 4.3.3-J and 4.0-K through 4.3.10-K;
and (2) OpenSSH
4.7p1 and possibly other versions, when using a block cipher algorithm
in Cipher
Block Chaining (CBC) mode, makes it easier for remote attackers to recover
certain plaintext data from an arbitrary block of ciphertext in an SSH
session via unknown vectors.



1483:

OpenSSH 4.3p2, and probably other versions, allows local users to hijack
forwarded X connections by causing ssh to set DISPLAY to :10, even when
another process is listening on the associated port, as demonstrated by
opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.




Are these vulnerabilities applicable on Openssh 6.2p version?

Do we need to patch these in 6.2p.


Regards

Abhishek

OpenSSH is maintained by a small team who only have the resources to
support the current version. If you need to generate cherry-pick
patches then you'll either need to do it yourself or find a competent
developer to do it for you.

Finding them yourself isn't too hard: checkout the version containing
the fix from git and look at the commit log. Security vulnerabilities
usually preciptate a release quite quickly, so it will like be one of
the last commits in the log. Do be careful: people have caused problem
by mis-applying cherry-pick patches inappropriately before. It's
much better just to use the latest version.

-d

Are you sure?

I was going to suggest that you take a look at Debian's packages, such
as the 6.0p1 package from "wheezy", but looking at the changelog, I only
see mention of CVE-2008-1483:

http://metadata.ftp-master.debian.org/changelogs/main/o/openssh/openssh_6.0p1-4+deb7u3_changelog

Likewise for 6.6p1:

http://metadata.ftp-master.debian.org/changelogs/main/o/openssh/openssh_6.6p1-4~bpo70+1_changelog

Note that CVE-2008-1483 was fixed in Debian's 4.7p1-5 package, in 22 Mar
2008, so I'm wondering who would have supplied a vulnerable version of
6.2p (release in 2012).

It looks to me as though it was fixed in 4.9, so I'm very doubtful
about the assertion that 6.2 is vulnerable.

As for CVE-2015-6565, this:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6565

claims that versions 6.8 and 6.9 are vulnerable, so again not 6.2.

I'll leave you to look at the other two.

Cheers, Phil.

Thanks a lot guys for the pointers.

Regards
Abhishek