De Raadt: Important SSH patch coming soon

by
corbet
from LWN.net on (#10NTC)
Theo de Raadt suggests that a significant OpenSSH security issue is aboutto be exposed; the message reads, in full: "Important SSH patch comingsoon. For now, every on all operating systems, please do the following:Add undocumented 'UseRoaming no' to ssh_config or use '-oUseRoaming=no'to prevent upcoming #openssh client bug CVE-2016-0777. More later."

Update: that important patch appears to be OpenSSH 7.1p2, available now. "The OpenSSH client code between 5.4 and 7.1 contains experimential support for resuming SSH-connections (roaming). The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys." There are a few other security fixes there as well.

Update 2: see the Qualys advisory for vast amounts of detail.

External Content
Source RSS or Atom Feed
Feed Location http://lwn.net/headlines/rss
Feed Title LWN.net
Feed Link https://lwn.net/
Reply 0 comments