[manjaro-security] [arch-security] [ASA-201601-9] openssh: multiple issues

Alexandru Ianu alexandru.ianu at gmail.com
Fri Jan 15 18:24:18 CET 2016


On Thu, Jan 14, 2016 at 7:12 PM, Levente Polyak <anthraxx at archlinux.org>
wrote:

> Arch Linux Security Advisory ASA-201601-9
> =========================================
>
> Severity: High
> Date    : 2016-01-14
> CVE-ID  : CVE-2016-0777 CVE-2016-0778
> Package : openssh
> Type    : multiple issues
> Remote  : Yes
> Link    : https://wiki.archlinux.org/index.php/CVE
>
> Summary
> =======
>
> The package openssh before version 7.1p2-1 is vulnerable to multiple
> issues including information disclosure (including the client's private
> keys) and arbitrary code execution.
>
> Resolution
> ==========
>
> Upgrade to 7.1p2-1.
>
> # pacman -Syu "openssh>=7.1p2-1"
>
> The problems have been fixed upstream in version 7.1p2.
>
> Workaround
> ==========
>
> It is possible to mitigate this issue by setting the following option in
> the OpenSSH client's configuration file manually, either global
> (/etc/ssh/ssh_config) or user specific (~/.ssh/config):
>
>     UseRoaming no
>
> The above directive should be placed in the Host * section of the
> configuration file to use this setting for all SSH servers the client
> connects to.
>
> You can also set the option via a command line argument when connecting
> to an SSH server:
>
>     -o 'UseRoaming no'
>
> Using one of those configuration values mitigates the problems by
> disabling the roaming feature.
>
> Description
> ===========
>
> - CVE-2016-0777 (information disclosure)
>
> An information leak flaw was found in the way the OpenSSH client roaming
> feature was implemented. A malicious server could potentially use this
> flaw to leak portions of memory (possibly including private SSH keys) of
> a successfully authenticated OpenSSH client.
>
> - CVE-2016-0778 (arbitrary code execution)
>
> A buffer overflow flaw was found in the way the OpenSSH client roaming
> feature was implemented that is leading to a file descriptor leak. A
> malicious server could potentially use this flaw to execute arbitrary
> code on a successfully authenticated OpenSSH client if that client used
> certain non-default configuration options (ProxyCommand, ForwardAgent or
> ForwardX11).
>
> Impact
> ======
>
> A remote attacker is able to use a malicious server to leak client
> memory, including the client's private keys or, under certain non
> default circumstances, execute arbitrary code.
>
> Users with passphrase-less privates keys, especially in non interactive
> setups (automated jobs using ssh, scp, rsync+ssh etc.) are advised to
> update their keys if they have connected to an SSH server they don't
> fully trust.
>
> References
> ==========
>
>
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034680.html
> https://access.redhat.com/security/cve/CVE-2016-0777
> https://access.redhat.com/security/cve/CVE-2016-0778
> <https://lists.manjaro.org/mailman/listinfo/manjaro-security>
>

The critical vulnerability ASA-201601-9 is fixed in Manjaro:

https://lists.manjaro.org/pipermail/manjaro-packages/Week-of-Mon-20160111/005635.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20160115/18e4b642/attachment.html>


More information about the manjaro-security mailing list