[3.4] OpenSSH: client bugs CVE-2016-0777 and CVE-2016-0778
OpenSSH clients between versions 5.4 and 7.1 are vulnerable to information disclosure that may allow a malicious server to retrieve information including under some circumstances, user’s private keys. This may be mitigated by adding the undocumented config option UseRoaming no to ssh_config.
This bug is corrected in OpenSSH 7.1p2 and in OpenBSD’s stable branch.
CVE-2016-0777
An information leak (memory disclosure) can be exploited by a rogue SSH server to trick a client into leaking sensitive data from the client memory, including for example private keys.
CVE-2016-0778
A buffer overflow (leading to file descriptor leak), can also be exploited by a rogue SSH server, but due to another bug in the code is possibly not exploitable, and only under certain conditions (not the default configuration), when using ProxyCommand, ForwardAgent or ForwardX11.
References
http://www.openssh.com/txt/release-7.1p2
http://www.undeadly.org/cgi?action=article&sid=20160114142733
(from redmine: issue id 5014, created on 2016-01-14, closed on 2016-01-14)
- Relations:
- parent #5013 (closed)
- Changesets:
- Revision faf85ab2 by Natanael Copa on 2016-01-14T20:42:03Z:
main/openssh: security upgrade to 7.1_p2 (CVE-2016-0777,CVE-2016-0778)
fixes #5014