Patching OpenSSH in 10.9x and 10.10.x

ssmurphy
New Contributor III

Hello all,

It has come down from our IT Security team that the OpenSSH that is part of OS X 10.9.x and 10.10.x (currently listed as OpenSSH_6.2p2) needs to be patched to version 6.6p or higher.

The methods they suggest to take care of this sound less than fun. Anyone have suggestions on how to patch or any news as to when Apple may patch the software?

I been told it a level 3 defect and must be remedied in 90 days.

Thanks

3 REPLIES 3

davidacland
Honored Contributor II
Honored Contributor II

Apple are a closed book as far as release dates of future patches unfortunately. You could look into the steps in this article:

http://stackoverflow.com/questions/10658950/upgrade-openssh-on-os-x-with-homebrew-for-pci-compliance

I've used brew a few times to patch some of the UNIX / system bits.

Its worth mentioning that the recommended approach is to wait for Apple to release a fully supported patch. Not sure if that types of response would have any effect on the 90 day time limit? I mess around with brew and different versions of bash/sshd etc in lab environments but deploying to production machines is quite different. A subsequent Apple update could undo the change or do more damage.

ssmurphy
New Contributor III

Looks like Apple patched this with OS X 10.11.4 update.

ssh -V now returns the following,

OpenSSH_6.9p1, LibreSSL 2.1.8

sean
Valued Contributor

It's in Apple's patch list for 10.11
Apple 10.11 Security Content

However, from: openssh

MITIGATION: For OpenSSH >= 5.4 the vulnerable code in the client can be completely disabled by adding 'UseRoaming no' to the gobal ssh_config(5) file, or to user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on the command line.

So just set "UseRoaming" to "no" in the global config file on anything older than 10.11

Jamf Post openssh #18519