Patch for OS X: echo -e 'Host *\nUseRoaming no' >> ~/.ssh/config On Thu, Jan 14, 2016 at 10:57 AM, Yves-Alexis Perez <cor...@debian.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > - ------------------------------------------------------------------------- > Debian Security Advisory DSA-3446-1 secur...@debian.org > https://www.debian.org/security/ Yves-Alexis Perez > January 14, 2016 https://www.debian.org/security/faq > - ------------------------------------------------------------------------- > > Package : openssh > CVE ID : CVE-2016-0777 CVE-2016-0778 > Debian bug : 810984 > > The Qualys Security team discovered two vulnerabilities in the roaming > code of the OpenSSH client (an implementation of the SSH protocol > suite). > > SSH roaming enables a client, in case an SSH connection breaks > unexpectedly, to resume it at a later time, provided the server also > supports it. > > The OpenSSH server doesn't support roaming, but the OpenSSH client > supports it (even though it's not documented) and it's enabled by > default. > > CVE-2016-0777 > > An information leak (memory disclosure) can be exploited by a rogue > SSH server to trick a client into leaking sensitive data from the > client memory, including for example private keys. > > CVE-2016-0778 > > A buffer overflow (leading to file descriptor leak), can also be > exploited by a rogue SSH server, but due to another bug in the code > is possibly not exploitable, and only under certain conditions (not > the default configuration), when using ProxyCommand, ForwardAgent or > ForwardX11. > > This security update completely disables the roaming code in the OpenSSH > client. > > It is also possible to disable roaming by adding the (undocumented) > option 'UseRoaming no' to the global /etc/ssh/ssh_config file, or to the > user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on > the command line. > > Users with passphrase-less privates keys, especially in non interactive > setups (automated jobs using ssh, scp, rsync+ssh etc.) are advised to > update their keys if they have connected to an SSH server they don't > trust. > > More details about identifying an attack and mitigations will be > available in the Qualys Security Advisory. > > For the oldstable distribution (wheezy), these problems have been fixed > in version 1:6.0p1-4+deb7u3. > > For the stable distribution (jessie), these problems have been fixed in > version 1:6.7p1-5+deb8u1. > > For the testing distribution (stretch) and unstable distribution (sid), > these > problems will be fixed in a later version. > > We recommend that you upgrade your openssh packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://www.debian.org/security/ > > Mailing list: debian-security-annou...@lists.debian.org > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQEcBAEBCgAGBQJWl8KkAAoJEG3bU/KmdcClRNwH/0VVHlie4NzyktneCUYnPuU2 > WpeiJLScW+Sgn9ZfaL4LD+RlvmH19YLaKirIula1Wp+f6poAAMrE+Zh2ZO6wH1XY > C3VG9mA3sZDkrgctKVqQ0jO9oY0kFsN8FbNduFH/qBycLZdsH6nQ1KyWRDuKfVql > 4qJCoErmsc9w/Avlh/+WE7JFDRA+2TcGuXeHbmuSaxHAbR8+2PZ+4Z5xgUG/i7P2 > KeQkFTHBewn0fBQsQxIAgkwvV58eKNScGcgEMBrwKcwxcXDmWg4ST8KQLLZ+oQct > mF1xWkNAnGNk6yfiGScv6TlY2JtVgfTTNN3gYjpbe/W4Wbqwp7xML90DRPzG7WQ= > =MOdR > -----END PGP SIGNATURE----- > >
