Many distros will backport the patch, yet maintain the same version
number. This is the case in Debian. If you look below, the version
appears to be vulnerable, yet the changelog indicates otherwise. This
is often the case when doing compliance for financial transactions and
you have to explain that the version has been patched.
The long story short is check your Changelog.
/usr/share/doc/openssh-client
changelog.Debian.gz
$ ssh -V
OpenSSH_6.7p1 Debian-5+deb8u1, OpenSSL 1.0.1k 8 Jan 2015
openssh (1:6.7p1-5+deb8u1) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
* Disable roaming in openssh client: roaming code is vulnerable to an
information leak (CVE-2016-0777) and heap-based buffer overflow
(CVE-2016-0778).
-- Yves-Alexis Perez <cor...@debian.org> Wed, 13 Jan 2016 22:08:52 +0100
brian
On Fri, Jan 15, 2016 at 12:24:09PM -0800, Bill Kendrick wrote:
>
> If you're using OpenSSH 5.4 thru 7.1 (check "ssh -V"),
> you'll want to disable the "UseRoaming" feature (which was
> unused on SSH servers, but left around in SSH clients,
> and can be exploited):
>
> http://undeadly.org/cgi?action=article&sid=20160114142733
>
> --
> -bill!
> Sent from my computer
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
--
Brian Lavender
http://www.brie.com/brian/
"There are two ways of constructing a software design. One way is to
make it so simple that there are obviously no deficiencies. And the other
way is to make it so complicated that there are no obvious deficiencies."
Professor C. A. R. Hoare
The 1980 Turing award lecture
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech
