Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.0113 openssh security update 15 January 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: openssh Publisher: Debian Operating System: Debian GNU/Linux 7 Debian GNU/Linux 8 Impact/Access: Access Privileged Data -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-0778 CVE-2016-0777 Reference: ESB-2016.0111 Original Bulletin: http://www.debian.org/security/2016/dsa-3446 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3446-1 security@debian.org https://www.debian.org/security/ Yves-Alexis Perez January 14, 2016 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : openssh CVE ID : CVE-2016-0777 CVE-2016-0778 Debian bug : 810984 The Qualys Security team discovered two vulnerabilities in the roaming code of the OpenSSH client (an implementation of the SSH protocol suite). SSH roaming enables a client, in case an SSH connection breaks unexpectedly, to resume it at a later time, provided the server also supports it. The OpenSSH server doesn't support roaming, but the OpenSSH client supports it (even though it's not documented) and it's enabled by default. CVE-2016-0777 An information leak (memory disclosure) can be exploited by a rogue SSH server to trick a client into leaking sensitive data from the client memory, including for example private keys. CVE-2016-0778 A buffer overflow (leading to file descriptor leak), can also be exploited by a rogue SSH server, but due to another bug in the code is possibly not exploitable, and only under certain conditions (not the default configuration), when using ProxyCommand, ForwardAgent or ForwardX11. This security update completely disables the roaming code in the OpenSSH client. It is also possible to disable roaming by adding the (undocumented) option 'UseRoaming no' to the global /etc/ssh/ssh_config file, or to the user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on the command line. Users with passphrase-less privates keys, especially in non interactive setups (automated jobs using ssh, scp, rsync+ssh etc.) are advised to update their keys if they have connected to an SSH server they don't trust. More details about identifying an attack and mitigations will be available in the Qualys Security Advisory. For the oldstable distribution (wheezy), these problems have been fixed in version 1:6.0p1-4+deb7u3. For the stable distribution (jessie), these problems have been fixed in version 1:6.7p1-5+deb8u1. For the testing distribution (stretch) and unstable distribution (sid), these problems will be fixed in a later version. We recommend that you upgrade your openssh packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCgAGBQJWl8KkAAoJEG3bU/KmdcClRNwH/0VVHlie4NzyktneCUYnPuU2 WpeiJLScW+Sgn9ZfaL4LD+RlvmH19YLaKirIula1Wp+f6poAAMrE+Zh2ZO6wH1XY C3VG9mA3sZDkrgctKVqQ0jO9oY0kFsN8FbNduFH/qBycLZdsH6nQ1KyWRDuKfVql 4qJCoErmsc9w/Avlh/+WE7JFDRA+2TcGuXeHbmuSaxHAbR8+2PZ+4Z5xgUG/i7P2 KeQkFTHBewn0fBQsQxIAgkwvV58eKNScGcgEMBrwKcwxcXDmWg4ST8KQLLZ+oQct mF1xWkNAnGNk6yfiGScv6TlY2JtVgfTTNN3gYjpbe/W4Wbqwp7xML90DRPzG7WQ= =MOdR - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVphCQn6ZAP0PgtI9AQJfWxAAr86VEBAbWFnjhJunZwU5d5MrqLeGAdq2 lunp5UvxJ4Dmy9xEE3y6zmFn7EcRsJ/K4wqX5wwsXLN+7zejUTQ1W7bknBtWM3jr 8KypmDRVDgQTBKARQNy7zhwgvzggpBfEMDieBfSGIFIZecRKhrTERd15BIU7ZNrd 9aj1O7nK0WI5HH2iogXAewvWq5qX9pKBouo5v8sP5Nu1ooTFdJNpDML/E42rrm3j 9K9bmU0+/kqB9NRGM2b4Gvzb6Rg5+o6k509yGv1bMUsNSUJfMw8OOEU1x3iXwbZP /y6go11D3cbb7vdE9Q6D0W57OXBc43TH4Rmuzkk3JHGKV3T4cO2S8felMQjUAfHW CdVosKwNcs4fHX5tgu74anztX0gwyYH3i6bT44XEdiXlii9qYmLaKGx0aJ2ij3l9 cIiMxLsYmP+HXB+bhbJLXRm8TycEF+ORbkAAZk78C+F+WlEDv4q0wA9OC3drz7G+ LBLqOBnDGHKnP1PdNU5zO69zgIu0YAefa8/IbDuRLf80CIlPMTjCQA4ktRojED3w 9wn4W/vSVggAc6sKXIAxHvYYLPgAF7vtmMPOqTFoJxPk//iEzxrMxO4dYuPWhF51 Prf7T7/2RBskgxAXgXOWwyUJtyV7oiaMMcoAqptSUBsBBxDUnnV/XsvQP+oQKBsh jZFctZDNkqs= =xvvG -----END PGP SIGNATURE-----