Environment
Reflection for Secure IT UNIX Server version 8.0.1.74 (8.0 Service Pack 1 Build 74)
Situation
Resolution
Version Identification
This release is identified as version 8.0.1.74, which is displayed when running any of the clients or server daemon with the version switch (-V or --version).
What’s New in This Release?
This release includes features and fixes previously released in versions 8.0 Service Pack 1 (as described in KB 7022094) and 8.0 (as described in KB 7022091), plus the following updates.
Security Updates
- OpenSSL Null Pointer Dereference Vulnerability (CVE-2015-0289) is addressed. This vulnerability could allow attackers to cause a denial of service by providing malformed PKCS#7 data.
- OpenSSL Buffer Overflow Vulnerability (CVE-2015-0292) is addressed. This vulnerability could allow remote attackers to cause a denial of service or possibly other impact by using crafted base64 data that triggers a buffer overflow.
- Diffie-Hellman Logjam Vulnerability (CVE-2015-4000) is addressed. This vulnerability can allow an attacker to passively eavesdrop and decrypt SSH sessions that use weaker DH Groups for key exchange.
- OpenSSH PAM Impersonation Vulnerability (CVE-2015-6563) is addressed. This vulnerability could allow local users to conduct impersonation attacks by leveraging any SSH login access to send a crafted PAM request.
- OpenSSH PAM Use-after-free Vulnerability (CVE-2015-6564) is addressed. This vulnerability could allow local users to gain privileges by leveraging control of the SSH server to send an unexpected PAM request.
For more information on security updates, see https://support.microfocus.com/security/.
Additional Significant Changes
- Product is now a 64-bit application on IBM AIX POWER, Oracle Solaris 10 SPARC, and Oracle Solaris 11 SPARC.
Note for AIX: If the full path to the PAM libraries is specified in the pam.conf file, the path for the SSH PAM service will need to be updated to the 64-bit PAM library. See Configuring PAM libraries on AIX.
- IBM AIX 5.3 POWER and Oracle Solaris 9 SPARC are no longer supported platforms.
- Product now uses the OpenSSL FIPS Object Module for FIPS 140-2 Level 1 validation (Certificate #1747).
- HP-UX 11i v2 (11.23) PARISC and SUSE Linux Enterprise Server 10 zSeries, 64-bit are no longer FIPS 140-2 validated platforms. The client and server no longer support FIPS mode settings.
- The FIPS 140-2 Level 1 validation using the OpenSSL FIPS Object Module on IBM AIX 6.1 and 7.1 POWER is “In Process.”
Resolved Issues
This release includes fixes for the following server issues:
- Core dumps are no longer generated on Solaris and AIX platforms.
- The AccountManagement=aix and IgnoreRLogin=yes server configuration keywords can now be used together.
Downloading the Product
Maintained customers are eligible to download the latest product releases at https://download.attachmate.com/Upgrades/. You will be prompted to login and accept the Software License Agreement before you can download a file. For more information about using the Downloads website, see KB 7021965.
Note: If you download an Oracle Solaris, HP-UX, or IBM AIX package using Internet Explorer, the uppercase (.Z) extension is changed to lowercase (.z). You will need to rename the file name to use an uppercase Z before you can uncompress your files.
For information about purchasing Reflection for Secure IT, contact a sales representative: https://www.attachmate.com/company/contact/.
Installing and Upgrading
For supported platform information, see KB 7022010.
To upgrade, you will need to:
- Back up the /etc/ssh2 directory (which includes configuration files and host keys).
- Uninstall your existing version.
- Install the new downloaded product.
For more information about installing and uninstalling, see the User Guide at https://support.microfocus.com/manuals/rsit_unix.html.
To replace an existing Secure Shell program (including using backed up files to merge your non-default settings to the new configuration file), see KB 7021941 or https://docs.attachmate.com/reflection/rsit-ssh/8.0sp1/unix/en/user-guide/rsit_unix_upgrade_rf.htm.
Configuring PAM on AIX
If the full path to the PAM libraries is specified in the pam.conf file, the path for the SSH PAM service will need to be updated to the 64-bit PAM library. For example:
ssh auth required /usr/lib/security/64/pam_aix ssh account required /usr/lib/security/64/pam_aix ssh password required /usr/lib/security/64/pam_aix ssh session required /usr/lib/security/64/pam_aix |