[arch-security] openssh: workaround for critical vulnerability

Levente Polyak anthraxx at archlinux.org
Thu Jan 14 15:21:12 UTC 2016


Summary
=======

A critical client side SSH vulnerability has been discovered and a
patched upstream version is released as 7.1p2. We strongly advise to use
the following workaround until the upcoming release is rolled out in
Arch Linux.
This vulnerability is being tracked as CVE-2016-0777.

Workaround
==========

Add undocumented "UseRoaming no" to ssh_config or use "-oUseRoaming=no"
work around the issue.

References
==========
https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034680.html
https://www.marc.info/?l=openbsd-tech&m=145278077820529
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0777

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: signature.asc
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20160114/7f448737/attachment-0027.ksh>


More information about the arch-security mailing list