<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jan 14, 2016 at 7:12 PM, Levente Polyak <span dir="ltr"><<a href="mailto:anthraxx@archlinux.org" target="_blank">anthraxx@archlinux.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Arch Linux Security Advisory ASA-201601-9<br>
=========================================<br>
<br>
Severity: High<br>
Date : 2016-01-14<br>
CVE-ID : CVE-2016-0777 CVE-2016-0778<br>
Package : openssh<br>
Type : multiple issues<br>
Remote : Yes<br>
Link : <a href="https://wiki.archlinux.org/index.php/CVE" rel="noreferrer" target="_blank">https://wiki.archlinux.org/index.php/CVE</a><br>
<br>
Summary<br>
=======<br>
<br>
The package openssh before version 7.1p2-1 is vulnerable to multiple<br>
issues including information disclosure (including the client's private<br>
keys) and arbitrary code execution.<br>
<br>
Resolution<br>
==========<br>
<br>
Upgrade to 7.1p2-1.<br>
<br>
# pacman -Syu "openssh>=7.1p2-1"<br>
<br>
The problems have been fixed upstream in version 7.1p2.<br>
<br>
Workaround<br>
==========<br>
<br>
It is possible to mitigate this issue by setting the following option in<br>
the OpenSSH client's configuration file manually, either global<br>
(/etc/ssh/ssh_config) or user specific (~/.ssh/config):<br>
<br>
UseRoaming no<br>
<br>
The above directive should be placed in the Host * section of the<br>
configuration file to use this setting for all SSH servers the client<br>
connects to.<br>
<br>
You can also set the option via a command line argument when connecting<br>
to an SSH server:<br>
<br>
-o 'UseRoaming no'<br>
<br>
Using one of those configuration values mitigates the problems by<br>
disabling the roaming feature.<br>
<br>
Description<br>
===========<br>
<br>
- CVE-2016-0777 (information disclosure)<br>
<br>
An information leak flaw was found in the way the OpenSSH client roaming<br>
feature was implemented. A malicious server could potentially use this<br>
flaw to leak portions of memory (possibly including private SSH keys) of<br>
a successfully authenticated OpenSSH client.<br>
<br>
- CVE-2016-0778 (arbitrary code execution)<br>
<br>
A buffer overflow flaw was found in the way the OpenSSH client roaming<br>
feature was implemented that is leading to a file descriptor leak. A<br>
malicious server could potentially use this flaw to execute arbitrary<br>
code on a successfully authenticated OpenSSH client if that client used<br>
certain non-default configuration options (ProxyCommand, ForwardAgent or<br>
ForwardX11).<br>
<br>
Impact<br>
======<br>
<br>
A remote attacker is able to use a malicious server to leak client<br>
memory, including the client's private keys or, under certain non<br>
default circumstances, execute arbitrary code.<br>
<br>
Users with passphrase-less privates keys, especially in non interactive<br>
setups (automated jobs using ssh, scp, rsync+ssh etc.) are advised to<br>
update their keys if they have connected to an SSH server they don't<br>
fully trust.<br>
<br>
References<br>
==========<br>
<br>
<a href="https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034680.html" rel="noreferrer" target="_blank">https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034680.html</a><br>
<a href="https://access.redhat.com/security/cve/CVE-2016-0777" rel="noreferrer" target="_blank">https://access.redhat.com/security/cve/CVE-2016-0777</a><br>
<a href="https://access.redhat.com/security/cve/CVE-2016-0778" rel="noreferrer" target="_blank">https://access.redhat.com/security/cve/CVE-2016-0778</a><br>
<a href="https://lists.manjaro.org/mailman/listinfo/manjaro-security" rel="noreferrer" target="_blank"></a>
<br></blockquote></div><br></div><div class="gmail_extra">The critical vulnerability ASA-201601-9 is fixed in Manjaro:<br><br><a href="https://lists.manjaro.org/pipermail/manjaro-packages/Week-of-Mon-20160111/005635.html">https://lists.manjaro.org/pipermail/manjaro-packages/Week-of-Mon-20160111/005635.html</a><br></div></div>