GSI OpenSSH versions before 3.9 contain a problem that may allow attackers to both deny service and execute arbitrary code. The details below were copied from Globus's Security Advisory 2007-02. But note that below we have a fix that is appropriate for the VDT.
Title: Globus Security Advisory 2007-02: GSI-OpenSSH vulnerability Globus Security Advisory 2007-02: GSI-OpenSSH vulnerability Original issue date: April 9 2007 Last revised: None Software affected: Globus Toolkit releases 4.0.0-4.0.3 and 4.1.0-4.1.1 GSI-OpenSSH releases 3.8 and earlier Specific packages: gsi_openssh Note: Globus Toolkit 4.0.4 includes GSI-OpenSSH 3.9 which is not affected. Globus Toolkit 3.2 and earlier did not include GSI-OpenSSH, but GSI-OpenSSH may have been installed as an add-on package. Overview: A signal handler race condition in OpenSSH versions prior to 4.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5051 Additionally, sshd in OpenSSH versions prior to 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4924 I. Description According to the OpenSSH 4.4 release notes (http://openssh.org/txt/release-4.4), a signal handler in prior OpenSSH releases is "vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service," and "this vulnerability could theoretically lead to pre-authentication remote code execution," "but the likelihood of successful exploitation appears remote." II. Impact A remote attacker may cause a denial of service or execute arbitrary code. III. Solution GSI-OpenSSH 3.9, based on OpenSSH 4.5p1, is available for download from: http://grid.ncsa.uiuc.edu/ssh/download.html This GSI-OpenSSH release includes the signal handler race condition fix and disables the SSH version 1 protocol by default. GSI authentication is performed over the SSH version 2 protocol. We recommend that sites running GSI-OpenSSH servers version 3.8 and earlier upgrade to GSI-OpenSSH 3.9. Upgrade instructions are available at: http://grid.ncsa.uiuc.edu/ssh/install.html Use 'gsissh -V' or 'gpt-query gsi_openssh' to determine your installed GSI-OpenSSH version: $ gsissh -V OpenSSH_4.2p1-hpn NCSA_GSSAPI_GPT_3.7 GSI, OpenSSL 0.9.7d 17 Mar 2004 $ gpt-query gsi_openssh 1 package was found in /usr/local/gt-4.0.3 that matched your query: packages found that matched your query gsi_openssh-gcc64dbg-pgm pkg version: 3.7.0 software version: GSI-OpenSSH 3.7 / OpenSSH 4.2p1 To determine the version of a GSI-OpenSSH server, run: for Bourne shells: gsissh -v hostname exit 2>&1 | grep "remote software version" for C shells: gsissh -v hostname exit |& grep "remote software version" (replacing hostname with the hostname of the remote server.) SHA1 checksums: a79e716c0c5eaf8445efc5f091040fbbc0e5ea4f gsi_openssh-3.9-src.tar.gz aa12e6118e92c9501088060d8fec862e1dbe114f gsi_openssh_bundle-3.9-src.tar.gz e6c43cbcf1aa3a0b335c60aac892a778587bc5e5 gsi_openssh_compat-3.9-src.tar.gz 5fb3bcfcb0829554c961e148cb64a4cece76bc96 gsi_openssh_setup-3.9-src.tar.gz MD5 checksums: 62662a6fb1c60f01e70a0ef810b327e5 gsi_openssh-3.9-src.tar.gz 0478bd00b9679234223f9ef117256c5f gsi_openssh_bundle-3.9-src.tar.gz 893557d99ef57d5eefa399e85fd3df5c gsi_openssh_compat-3.9-src.tar.gz 58337fe5c4fddb12e015b449f848639e gsi_openssh_setup-3.9-src.tar.gz
pacman -update GSIOpenSSH