ArchLinux: 201601-9: openssh: multiple issues
Summary
- CVE-2016-0777 (information disclosure)
An information leak flaw was found in the way the OpenSSH client roaming
feature was implemented. A malicious server could potentially use this
flaw to leak portions of memory (possibly including private SSH keys) of
a successfully authenticated OpenSSH client.
- CVE-2016-0778 (arbitrary code execution)
A buffer overflow flaw was found in the way the OpenSSH client roaming
feature was implemented that is leading to a file descriptor leak. A
malicious server could potentially use this flaw to execute arbitrary
code on a successfully authenticated OpenSSH client if that client used
certain non-default configuration options (ProxyCommand, ForwardAgent or
ForwardX11).
Resolution
Upgrade to 7.1p2-1.
# pacman -Syu "openssh>=7.1p2-1"
The problems have been fixed upstream in version 7.1p2.
References
https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034680.html https://access.redhat.com/security/cve/CVE-2016-0777 https://access.redhat.com/security/cve/CVE-2016-0778
Workaround
It is possible to mitigate this issue by setting the following option in the OpenSSH client's configuration file manually, either global (/etc/ssh/ssh_config) or user specific (~/.ssh/config): UseRoaming no
The above directive should be placed in the Host * section of the configuration file to use this setting for all SSH servers the client connects to.
You can also set the option via a command line argument when connecting to an SSH server:
-o 'UseRoaming no'
Using one of those configuration values mitigates the problems by disabling the roaming feature.