I read today that there's a significant vulnerability in OpenSSH, which is fixed by the latest version, 7.1p2. According to this story your private key is vulnerable to disclosure.
I'm using the latest Amazon Linux AMI, and everything is up to date against Amazon's repository.
[root@aws /]# ssh -V
OpenSSH_6.6.1p1, OpenSSL 1.0.1k-fips 8 Jan 2015
Here's the list of what packages are available in the Amazon yum repository
yum list | grep openssh
openssh.x86_64 6.6.1p1-22.58.amzn1 @amzn-updates
openssh-clients.x86_64 6.6.1p1-22.58.amzn1 @amzn-updates
openssh-server.x86_64 6.6.1p1-22.58.amzn1 @amzn-updates
openssh-keycat.x86_64 6.6.1p1-22.58.amzn1 amzn-updates
openssh-ldap.x86_64 6.6.1p1-22.58.amzn1 amzn-updates
It seems like the Amazon repository is around two years behind on OpenSSH updates. I have read that some vendors back port updates to older versions of OpenSSH, so this might not be an issue, or Amazon may address it relatively soon.
Questions:
- Is this really a problem?
- If it's a problem, what's the best way to update? I would typically find another yum repository, increase its priority, and update from that.
Yes, it's really a problem, if you ever ssh to a machine that an attacker might control.
Until Amazon updates its package, you can stop the bug from affecting you by adding the line
UseRoaming noto /etc/ssh/ssh_config on any machine from which you will be using the ssh client.