Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 14 Jan 2016 13:11:29 -0500
From: Jan Schaumann <jschauma@...meister.org>
To: oss-security@...ts.openwall.com
Subject: Re: Qualys Security Advisory - Roaming through the
 OpenSSH client: CVE-2016-0777 and CVE-2016-0778

Qualys Security Advisory <qsa@...lys.com> wrote:
 
> Since version 5.4 (released on March 8, 2010), the OpenSSH client
> supports an undocumented feature called roaming:

Why is version 5.3 not affected?

The change appears to have been introduced in

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/clientloop.c.diff?r1=1.211&r2=1.212

https://github.com/openssh/openssh-portable/commit/c5564e1c4c41ae9af96973e2996e2a4285acbae8#diff-de6290efbc1504e2b727aee24e88db02

on 2009-05-28.

OpenSSH 5.3 appears to have been named in
https://github.com/openssh/openssh-portable/commit/cd6b1a27cbb9400565811f908ca536937d875b8f
on 2009-06-30.

I also see:

$ ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
$ ssh -o UseSomeBogusOption=yes `hostname` date
command-line: line 0: Bad configuration option: UseSomeBogusOption
$ ssh -o UseRoaming=no `hostname` date
Thu Jan 14 09:27:24 PST 2016
$ 

which suggests that OpenSSH 5.3p1 at the very least _knows_ about the
UseRoaming option.

-Jan

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ