USN-2869-1: OpenSSH vulnerabilities | Ubuntu

http://www.ubuntu.com/usn/usn-2869-1/

Posted from WordPress for Android

2 Comments

  1. Tomi Engdahl says:

    USN-2869-1: OpenSSH vulnerabilities
    http://www.ubuntu.com/usn/usn-2869-1/

    Details
    It was discovered that the OpenSSH client experimental support for resuming
    connections contained multiple security issues. A malicious server could
    use this issue to leak client memory to the server, including private
    client user keys.

    OpenSSH: client bugs CVE-2016-0777 and CVE-2016-0778
    http://undeadly.org/cgi?action=article&sid=20160114142733

    This is the most serious bug you’ll hear about this week: the issues identified and fixed in OpenSSH are dubbed CVE-2016-0777 and CVE-2016-0778.
    An early heads up came from Theo de Raadt in this mailing list posting.
    Until you are able to patch affected systems, the recommended workaround is to use

    UPDATE: This affects OpenSSH versions 5.4 through 7.1.
    UPDATE: The following commit from deraadt@ has just gone in:
    CVSROOT: /cvs
    Module name: src
    Changes by: [email protected] 2016/01/14 07:34:34

    Modified files:
    usr.bin/ssh : readconf.c ssh.c

    Log message:
    Disable experimental client-side roaming support. Server side was
    disabled/gutted for years already, but this aspect was surprisingly
    forgotten. Thanks for report from Qualys

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*