https://news.ycombinator.com/item?id=10901588
On Thu, Jan 14, 2016 at 2:25 PM, Steph <[email protected]> wrote: > Patch for OS X: echo -e 'Host *\nUseRoaming no' >> ~/.ssh/config > > On Thu, Jan 14, 2016 at 10:57 AM, Yves-Alexis Perez <[email protected]> > wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >> >> - >> ------------------------------------------------------------------------- >> Debian Security Advisory DSA-3446-1 [email protected] >> https://www.debian.org/security/ Yves-Alexis Perez >> January 14, 2016 https://www.debian.org/security/faq >> - >> ------------------------------------------------------------------------- >> >> Package : openssh >> CVE ID : CVE-2016-0777 CVE-2016-0778 >> Debian bug : 810984 >> >> The Qualys Security team discovered two vulnerabilities in the roaming >> code of the OpenSSH client (an implementation of the SSH protocol >> suite). >> >> SSH roaming enables a client, in case an SSH connection breaks >> unexpectedly, to resume it at a later time, provided the server also >> supports it. >> >> The OpenSSH server doesn't support roaming, but the OpenSSH client >> supports it (even though it's not documented) and it's enabled by >> default. >> >> CVE-2016-0777 >> >> An information leak (memory disclosure) can be exploited by a rogue >> SSH server to trick a client into leaking sensitive data from the >> client memory, including for example private keys. >> >> CVE-2016-0778 >> >> A buffer overflow (leading to file descriptor leak), can also be >> exploited by a rogue SSH server, but due to another bug in the code >> is possibly not exploitable, and only under certain conditions (not >> the default configuration), when using ProxyCommand, ForwardAgent or >> ForwardX11. >> >> This security update completely disables the roaming code in the OpenSSH >> client. >> >> It is also possible to disable roaming by adding the (undocumented) >> option 'UseRoaming no' to the global /etc/ssh/ssh_config file, or to the >> user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on >> the command line. >> >> Users with passphrase-less privates keys, especially in non interactive >> setups (automated jobs using ssh, scp, rsync+ssh etc.) are advised to >> update their keys if they have connected to an SSH server they don't >> trust. >> >> More details about identifying an attack and mitigations will be >> available in the Qualys Security Advisory. >> >> For the oldstable distribution (wheezy), these problems have been fixed >> in version 1:6.0p1-4+deb7u3. >> >> For the stable distribution (jessie), these problems have been fixed in >> version 1:6.7p1-5+deb8u1. >> >> For the testing distribution (stretch) and unstable distribution (sid), >> these >> problems will be fixed in a later version. >> >> We recommend that you upgrade your openssh packages. >> >> Further information about Debian Security Advisories, how to apply >> these updates to your system and frequently asked questions can be >> found at: https://www.debian.org/security/ >> >> Mailing list: [email protected] >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2 >> >> iQEcBAEBCgAGBQJWl8KkAAoJEG3bU/KmdcClRNwH/0VVHlie4NzyktneCUYnPuU2 >> WpeiJLScW+Sgn9ZfaL4LD+RlvmH19YLaKirIula1Wp+f6poAAMrE+Zh2ZO6wH1XY >> C3VG9mA3sZDkrgctKVqQ0jO9oY0kFsN8FbNduFH/qBycLZdsH6nQ1KyWRDuKfVql >> 4qJCoErmsc9w/Avlh/+WE7JFDRA+2TcGuXeHbmuSaxHAbR8+2PZ+4Z5xgUG/i7P2 >> KeQkFTHBewn0fBQsQxIAgkwvV58eKNScGcgEMBrwKcwxcXDmWg4ST8KQLLZ+oQct >> mF1xWkNAnGNk6yfiGScv6TlY2JtVgfTTNN3gYjpbe/W4Wbqwp7xML90DRPzG7WQ= >> =MOdR >> -----END PGP SIGNATURE----- >> >> >
