Note: This web site is only kept up to date for OSG Software
1.2 (VDT 2.0.0). If you are looking for information for the most recent
release, the RPM-based OSG Software 3.0, please see
the OSG documentation web site
GSI OpenSSH Vulnerability
GSI OpenSSH server, in combination with certain system settings, can allow an authenticated user to become any user on the system.
This advisory affects the following VDT versions:
A security advisory is available from the GSI OpenSSH web page:
It does not affect OpenSSH, just GSI OpenSSH.
By default, the VDT does not configure computers to use GSI OpenSSH as a
server, and we are not aware of very many VDT users that do this
configuration automatically. If you are not aware of any changes you made
to use GSI OpenSSH from the VDT as a server, you are not impacted.
However, if you are using GSI OpenSSH as a server, it may affect you.
Affected users have several options:
- Make configuration changes to GSI OpenSSH so that the exploit is
unavailable. This is described in the advisory as option #2.
- Stop using the GSI OpenSSH server.
- Upgrade to a new version of GSI OpenSSH.
- Upgrade to VDT 1.2.0 or higher.
Please contact firstname.lastname@example.org
if you have any questions.