Posted on 02-11-2015 05:27 AM
It has come down from our IT Security team that the OpenSSH that is part of OS X 10.9.x and 10.10.x (currently listed as OpenSSH_6.2p2) needs to be patched to version 6.6p or higher.
The methods they suggest to take care of this sound less than fun. Anyone have suggestions on how to patch or any news as to when Apple may patch the software?
I been told it a level 3 defect and must be remedied in 90 days.
Posted on 02-11-2015 07:04 AM
Apple are a closed book as far as release dates of future patches unfortunately. You could look into the steps in this article:
I've used brew a few times to patch some of the UNIX / system bits.
Its worth mentioning that the recommended approach is to wait for Apple to release a fully supported patch. Not sure if that types of response would have any effect on the 90 day time limit? I mess around with brew and different versions of bash/sshd etc in lab environments but deploying to production machines is quite different. A subsequent Apple update could undo the change or do more damage.
Posted on 05-03-2016 08:10 AM
Looks like Apple patched this with OS X 10.11.4 update.
ssh -V now returns the following,
OpenSSH_6.9p1, LibreSSL 2.1.8
Posted on 05-03-2016 02:59 PM
It's in Apple's patch list for 10.11
Apple 10.11 Security Content
However, from: openssh
MITIGATION: For OpenSSH >= 5.4 the vulnerable code in the client can be completely disabled by adding 'UseRoaming no' to the gobal ssh_config(5) file, or to user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on the command line.
So just set "UseRoaming" to "no" in the global config file on anything older than 10.11