Arch Linux Security Advisory ASA-201601-9 ========================================= Severity: High Date : 2016-01-14 CVE-ID : CVE-2016-0777 CVE-2016-0778 Package : openssh Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package openssh before version 7.1p2-1 is vulnerable to multiple issues including information disclosure (including the client's private keys) and arbitrary code execution. Resolution ========== Upgrade to 7.1p2-1. # pacman -Syu "openssh>=7.1p2-1" The problems have been fixed upstream in version 7.1p2. Workaround ========== It is possible to mitigate this issue by setting the following option in the OpenSSH client's configuration file manually, either global (/etc/ssh/ssh_config) or user specific (~/.ssh/config): UseRoaming no The above directive should be placed in the Host * section of the configuration file to use this setting for all SSH servers the client connects to. You can also set the option via a command line argument when connecting to an SSH server: -o 'UseRoaming no' Using one of those configuration values mitigates the problems by disabling the roaming feature. Description =========== - CVE-2016-0777 (information disclosure) An information leak flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to leak portions of memory (possibly including private SSH keys) of a successfully authenticated OpenSSH client. - CVE-2016-0778 (arbitrary code execution) A buffer overflow flaw was found in the way the OpenSSH client roaming feature was implemented that is leading to a file descriptor leak. A malicious server could potentially use this flaw to execute arbitrary code on a successfully authenticated OpenSSH client if that client used certain non-default configuration options (ProxyCommand, ForwardAgent or ForwardX11). Impact ====== A remote attacker is able to use a malicious server to leak client memory, including the client's private keys or, under certain non default circumstances, execute arbitrary code. Users with passphrase-less privates keys, especially in non interactive setups (automated jobs using ssh, scp, rsync+ssh etc.) are advised to update their keys if they have connected to an SSH server they don't fully trust. References ========== https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034680.htm... https://access.redhat.com/security/cve/CVE-2016-0777 https://access.redhat.com/security/cve/CVE-2016-0778