Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 14 Jan 2016 13:11:29 -0500
From: Jan Schaumann <>
Subject: Re: Qualys Security Advisory - Roaming through the
 OpenSSH client: CVE-2016-0777 and CVE-2016-0778

Qualys Security Advisory <> wrote:
> Since version 5.4 (released on March 8, 2010), the OpenSSH client
> supports an undocumented feature called roaming:

Why is version 5.3 not affected?

The change appears to have been introduced in

on 2009-05-28.

OpenSSH 5.3 appears to have been named in
on 2009-06-30.

I also see:

$ ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
$ ssh -o UseSomeBogusOption=yes `hostname` date
command-line: line 0: Bad configuration option: UseSomeBogusOption
$ ssh -o UseRoaming=no `hostname` date
Thu Jan 14 09:27:24 PST 2016

which suggests that OpenSSH 5.3p1 at the very least _knows_ about the
UseRoaming option.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.