Hi All,
On January 14th, a new vulnerability CVE-2016-0777 affecting OpenSSH clients
was announced. Globus services and client interactions to Globus services are
not vulnerable.
This affects SSH and GSISSH clients when connecting to a malicious server.
Globus distributes GSI-OpenSSH, which is based on OpenSSH. As such, we'll be
applying the security patch for this issue from the OpenSSH developers and
releasing updated gsi-openssh Globus Toolkit packages.
Note that the system installed ssh package is used by globus-ftp-client based
tools, such as globus-url-copy, when accessing sshftp:// URLs. If you use this
feature, you should ensure your ssh package is up to date.
In the meantime, the problem can be avoided by adding the undocumented
"UseRoaming no" directive to the relevant config files. The default
system-wide configuration file for ssh is /etc/ssh/ssh_config, and for gsissh
is /etc/gsissh/ssh_config.
References:
https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt
http://www.openssh.com/txt/release-7.1p2
If you have any concerns about this issue, please contact us at
supp...@globus.org.
- Globus Team
