On Thu, Jan 14, 2016 at 8:35 AM, Frank Elsner <frank@xxxxxxxxxxxxxxxxxxxxx> wrote: > you should do an > echo 'UseRoaming no' >> /etc/ssh/ssh_config Depending on the content of your ssh_config file, that might not be an effective fix. The recommended mitigation is: # echo -e 'Host *\nUseRoaming no' >> /etc/ssh/ssh_config > > to secure your system according to > http://undeadly.org/cgi?action=article&sid=20160114142733 For the sake of conversation... Reading the Qualys security advisory is interesting as well, and I tend to think the vulnerability is not severe for a number of reasons: https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt First, because versions 5.4 - 5.6 were not vulnerable to the information leak on GNU/Linux, though they were on BSD systems. Second, because later versions may have been able to leak private keys, but only incomplete copies of them. Last, because encrypted keys could only be leaked in their encrypted form, and keys used with an ssh-agent were not vulnerable to leaking at all. The buffer overflow vulnerability seems more severe, but only if you're using a bastion host which is compromised. The vulnerability can only be triggered when using ProxyCommand. The buffer overflow also is not exploitable on OpenSSH 6.8, due to a bug introduced in that version. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
