Date: Thu, 14 Jan 2016 13:11:29 -0500 From: Jan Schaumann <jschauma@...meister.org> To: oss-security@...ts.openwall.com Subject: Re: Qualys Security Advisory - Roaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778 Qualys Security Advisory <qsa@...lys.com> wrote: > Since version 5.4 (released on March 8, 2010), the OpenSSH client > supports an undocumented feature called roaming: Why is version 5.3 not affected? The change appears to have been introduced in http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/clientloop.c.diff?r1=1.211&r2=1.212 https://github.com/openssh/openssh-portable/commit/c5564e1c4c41ae9af96973e2996e2a4285acbae8#diff-de6290efbc1504e2b727aee24e88db02 on 2009-05-28. OpenSSH 5.3 appears to have been named in https://github.com/openssh/openssh-portable/commit/cd6b1a27cbb9400565811f908ca536937d875b8f on 2009-06-30. I also see: $ ssh -V OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010 $ ssh -o UseSomeBogusOption=yes `hostname` date command-line: line 0: Bad configuration option: UseSomeBogusOption $ ssh -o UseRoaming=no `hostname` date Thu Jan 14 09:27:24 PST 2016 $ which suggests that OpenSSH 5.3p1 at the very least _knows_ about the UseRoaming option. -Jan
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.