Hi All, On January 14th, a new vulnerability CVE-2016-0777 affecting OpenSSH clients was announced. Globus services and client interactions to Globus services are not vulnerable.
This affects SSH and GSISSH clients when connecting to a malicious server. Globus distributes GSI-OpenSSH, which is based on OpenSSH. As such, we'll be applying the security patch for this issue from the OpenSSH developers and releasing updated gsi-openssh Globus Toolkit packages. Note that the system installed ssh package is used by globus-ftp-client based tools, such as globus-url-copy, when accessing sshftp:// URLs. If you use this feature, you should ensure your ssh package is up to date. In the meantime, the problem can be avoided by adding the undocumented "UseRoaming no" directive to the relevant config files. The default system-wide configuration file for ssh is /etc/ssh/ssh_config, and for gsissh is /etc/gsissh/ssh_config. References: https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt http://www.openssh.com/txt/release-7.1p2 If you have any concerns about this issue, please contact us at supp...@globus.org. - Globus Team