Note: This web site is only kept up to date for OSG Software 1.2 (VDT 2.0.0). If you are looking for information for the most recent release, the RPM-based OSG Software 3.0, please see the OSG documentation web site

GSI OpenSSH Vulnerability


Older versions of GSI OpenSSH contain a problem that may allow attackers to both deny service and execute arbitrary code.

Relevant Versions

This advisory affects the following VDT versions:

Date Announced



GSI OpenSSH versions before 3.9 contain a problem that may allow attackers to both deny service and execute arbitrary code. The details below were copied from Globus's Security Advisory 2007-02. But note that below we have a fix that is appropriate for the VDT.

Title: Globus Security Advisory 2007-02: GSI-OpenSSH vulnerability

Globus Security Advisory 2007-02: GSI-OpenSSH vulnerability

Original issue date: April 9 2007
Last revised: None

Software affected: Globus Toolkit releases 4.0.0-4.0.3 and 4.1.0-4.1.1
                   GSI-OpenSSH releases 3.8 and earlier

Specific packages: gsi_openssh

Note: Globus Toolkit 4.0.4 includes GSI-OpenSSH 3.9 which is not
      affected.  Globus Toolkit 3.2 and earlier did not include
      GSI-OpenSSH, but GSI-OpenSSH may have been installed as an


A signal handler race condition in OpenSSH versions prior to 4.4
remote attackers to cause a denial of service (crash) and possibly
execute arbitrary code:

Additionally, sshd in OpenSSH versions prior to 4.4, when using the
version 1 SSH protocol, allows remote attackers to cause a denial of
service (CPU consumption) via an SSH packet that contains duplicate
blocks, which is not properly handled by the CRC compensation attack

I. Description

According to the OpenSSH 4.4 release notes
(, a signal handler in prior
releases is "vulnerable to a race condition that could be exploited to
perform a pre-authentication denial of service," and "this
could theoretically lead to pre-authentication remote code execution,"
"but the likelihood of successful exploitation appears remote."

II. Impact

A remote attacker may cause a denial of service or execute arbitrary

III. Solution

GSI-OpenSSH 3.9, based on OpenSSH 4.5p1, is available for download

This GSI-OpenSSH release includes the signal handler race condition
and disables the SSH version 1 protocol by default.  GSI
is performed over the SSH version 2 protocol.

We recommend that sites running GSI-OpenSSH servers version 3.8 and
earlier upgrade to GSI-OpenSSH 3.9.

Upgrade instructions are available at:

Use 'gsissh -V' or 'gpt-query gsi_openssh' to determine your installed
GSI-OpenSSH version:

  $ gsissh -V
  OpenSSH_4.2p1-hpn NCSA_GSSAPI_GPT_3.7 GSI, OpenSSL 0.9.7d 17 Mar
  $ gpt-query gsi_openssh
  1 package was found in /usr/local/gt-4.0.3 that matched your query:

  packages found that matched your query
        gsi_openssh-gcc64dbg-pgm pkg version: 3.7.0 software version:
        GSI-OpenSSH 3.7 / OpenSSH 4.2p1

To determine the version of a GSI-OpenSSH server, run:
  for Bourne shells:
    gsissh -v hostname exit 2>&1 | grep "remote software version"
  for C shells:
    gsissh -v hostname exit |& grep "remote software version"
  (replacing hostname with the hostname of the remote server.)

SHA1 checksums:
a79e716c0c5eaf8445efc5f091040fbbc0e5ea4f  gsi_openssh-3.9-src.tar.gz

MD5 checksums:
62662a6fb1c60f01e70a0ef810b327e5  gsi_openssh-3.9-src.tar.gz
0478bd00b9679234223f9ef117256c5f  gsi_openssh_bundle-3.9-src.tar.gz
893557d99ef57d5eefa399e85fd3df5c  gsi_openssh_compat-3.9-src.tar.gz
58337fe5c4fddb12e015b449f848639e  gsi_openssh_setup-3.9-src.tar.gz 


VDT 1.6.1's version of GSI OpenSSH was upgraded to 3.9. You can get this new version by running a single command:
pacman -update GSIOpenSSH


Please contact if you have any questions.