Date: Thu, 14 Jan 2016 13:11:29 -0500 From: Jan Schaumann <jschauma@...meister.org> To: oss-security@...ts.openwall.com Subject: Re: Qualys Security Advisory - Roaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778 Qualys Security Advisory <qsa@...lys.com> wrote: > Since version 5.4 (released on March 8, 2010), the OpenSSH client > supports an undocumented feature called roaming: Why is version 5.3 not affected? The change appears to have been introduced in http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/clientloop.c.diff?r1=1.211&r2=1.212 https://github.com/openssh/openssh-portable/commit/c5564e1c4c41ae9af96973e2996e2a4285acbae8#diff-de6290efbc1504e2b727aee24e88db02 on 2009-05-28. OpenSSH 5.3 appears to have been named in https://github.com/openssh/openssh-portable/commit/cd6b1a27cbb9400565811f908ca536937d875b8f on 2009-06-30. I also see: $ ssh -V OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010 $ ssh -o UseSomeBogusOption=yes `hostname` date command-line: line 0: Bad configuration option: UseSomeBogusOption $ ssh -o UseRoaming=no `hostname` date Thu Jan 14 09:27:24 PST 2016 $ which suggests that OpenSSH 5.3p1 at the very least _knows_ about the UseRoaming option. -Jan
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ