can we install openssh 7.4p1 on redhat EL5

Latest response

Hi,
Please advice can we install openssh 7.4p1 on redhat EL5,
I am not able to find rpm for openssh 7.4p1 for redhat 5.

Regards

Responses

According to Red hat, the major version of "Openssh" will likely remain 4.3 in the entire RHEL-5 life cycle and will not change. Plus RHEL 5 goes out of support end of this month.

Need openssh-4.4 or later version package for Red Hat Enterprise Linux 5 release

Hi, Thanks for the info.

I am just looking to mitigate the following vulnerabilities with the current version 4.3.

  1. OpenSSH "X11UseLocalhost" X11 Forwarding Session Hijacking Vulnerability OpenSSH before 5.1 sets the SO_REUSEADDR socket option when the X11UseLocalhost configuration setting is disabled, which allows local Users on some platforms to hijack the X11 forwarding port via a bind to a single IP address.

  2. OpenSSH CBC Mode Information Disclosure Vulnerability Error handling in the SSH protocol in (1) SSH Tectia Client and Server, and Connector 4.0 through 4.4.11, 5.0 through 5.2.4, and 5.3 through 5.3.8; Client and Server and ConnectSecure 6.0 through 6.0.4; Server for Linux on IBM System z 6.0.4; Server for IBM z/OS 5.5.1 and earlier, 6.0.0, and 6.0.1; and Client 4.0-J through 4.3.3-J and 4.0-K through 4.3.10-K; and (2) OpenSSH 4.7p1 and possibly other versions, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors.

  3. OpenSSH X11 Cookie Local Authentication Bypass Vulnerability ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.

Kindly let me know how these vulnerabilities can be addressed.

Thanks in advance.

These are all legacy vulnerabilities all of which have been fixed. The first does not affect RHEL 5.

  1. CVE-2008-3259 - Issue does not affect openssh packages for Red Hat Enterprise Linux 5.

  2. CVE-2008-5161 - Fixed in openssh-4.3p2-36.el5

  3. CVE-2007-4752 - Fixed in openssh-4.3p2-26.el5_2.1

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.