Redhat openssh vulnerability in EL6 - CVE-2016-6210 openssh


Dear CafêX customers & partners.

We have been made aware that an update for openssh is now available for Red Hat Enterprise Linux 6. This is to fix BZ - 1357442 - 'CVE-2016-6210 openssh: User enumeration via covert timing channel'.

OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server.

Security Fix(es):

A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210)

For details on the vulnerability & how to fix please see:

To fix on CentOS 6 you'll need to update your packages (*NOTE* you'll need to perform these actions during a maintenance window):

e.g. #yum -y update all

The goal will be to get openssh to version 5.3p1-123.el6_9

 # yum list installed | grep openssh 
openssh.x86_64 5.3p1-123.el6_9 @updates
openssh-clients.x86_64 5.3p1-123.el6_9 @updates
openssh-server.x86_64 5.3p1-123.el6_9 @updates  

Have more questions? Submit a request