Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 14 Jan 2016 13:11:29 -0500
From: Jan Schaumann <>
Subject: Re: Qualys Security Advisory - Roaming through the
 OpenSSH client: CVE-2016-0777 and CVE-2016-0778

Qualys Security Advisory <> wrote:
> Since version 5.4 (released on March 8, 2010), the OpenSSH client
> supports an undocumented feature called roaming:

Why is version 5.3 not affected?

The change appears to have been introduced in

on 2009-05-28.

OpenSSH 5.3 appears to have been named in
on 2009-06-30.

I also see:

$ ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
$ ssh -o UseSomeBogusOption=yes `hostname` date
command-line: line 0: Bad configuration option: UseSomeBogusOption
$ ssh -o UseRoaming=no `hostname` date
Thu Jan 14 09:27:24 PST 2016

which suggests that OpenSSH 5.3p1 at the very least _knows_ about the
UseRoaming option.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ