Dear CafêX customers & partners.
We have been made aware that an update for openssh is now available for Red Hat Enterprise Linux 6. This is to fix BZ - 1357442 - 'CVE-2016-6210 openssh: User enumeration via covert timing channel'.
OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server.
A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210)
For details on the vulnerability & how to fix please see:
To fix on CentOS 6 you'll need to update your packages (*NOTE* you'll need to perform these actions during a maintenance window):
e.g. #yum -y update all
The goal will be to get openssh to version 5.3p1-123.el6_9
# yum list installed | grep openssh
openssh.x86_64 5.3p1-123.el6_9 @updates
openssh-clients.x86_64 5.3p1-123.el6_9 @updates
openssh-server.x86_64 5.3p1-123.el6_9 @updates