[manjaro-security] [arch-security] [ASA-201601-9] openssh: multiple issues
alexandru.ianu at gmail.com
Fri Jan 15 18:24:18 CET 2016
On Thu, Jan 14, 2016 at 7:12 PM, Levente Polyak <anthraxx at archlinux.org>
> Arch Linux Security Advisory ASA-201601-9
> Severity: High
> Date : 2016-01-14
> CVE-ID : CVE-2016-0777 CVE-2016-0778
> Package : openssh
> Type : multiple issues
> Remote : Yes
> Link : https://wiki.archlinux.org/index.php/CVE
> The package openssh before version 7.1p2-1 is vulnerable to multiple
> issues including information disclosure (including the client's private
> keys) and arbitrary code execution.
> Upgrade to 7.1p2-1.
> # pacman -Syu "openssh>=7.1p2-1"
> The problems have been fixed upstream in version 7.1p2.
> It is possible to mitigate this issue by setting the following option in
> the OpenSSH client's configuration file manually, either global
> (/etc/ssh/ssh_config) or user specific (~/.ssh/config):
> UseRoaming no
> The above directive should be placed in the Host * section of the
> configuration file to use this setting for all SSH servers the client
> connects to.
> You can also set the option via a command line argument when connecting
> to an SSH server:
> -o 'UseRoaming no'
> Using one of those configuration values mitigates the problems by
> disabling the roaming feature.
> - CVE-2016-0777 (information disclosure)
> An information leak flaw was found in the way the OpenSSH client roaming
> feature was implemented. A malicious server could potentially use this
> flaw to leak portions of memory (possibly including private SSH keys) of
> a successfully authenticated OpenSSH client.
> - CVE-2016-0778 (arbitrary code execution)
> A buffer overflow flaw was found in the way the OpenSSH client roaming
> feature was implemented that is leading to a file descriptor leak. A
> malicious server could potentially use this flaw to execute arbitrary
> code on a successfully authenticated OpenSSH client if that client used
> certain non-default configuration options (ProxyCommand, ForwardAgent or
> A remote attacker is able to use a malicious server to leak client
> memory, including the client's private keys or, under certain non
> default circumstances, execute arbitrary code.
> Users with passphrase-less privates keys, especially in non interactive
> setups (automated jobs using ssh, scp, rsync+ssh etc.) are advised to
> update their keys if they have connected to an SSH server they don't
> fully trust.
The critical vulnerability ASA-201601-9 is fixed in Manjaro:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the manjaro-security