On 01/15/2016 06:39 AM, Johnny Hughes wrote:
On 01/14/2016 10:20 AM, Michael H wrote:
Probably worth a read...
http://www.openssh.com/txt/release-7.1p2
Important SSH patch coming soon. For now, everyone on all operating
systems, please do the following:
Add undocumented "UseRoaming no" to ssh_config or use "-oUseRoaming=no"
to prevent upcoming #openssh client bug CVE-2016-0777. More later.
echo "UseRoaming no" >> /etc/ssh/ssh_config
For the record, this update is now released (it was yesterday):
https://lists.centos.org/pipermail/centos-announce/2016-January/021614.html
This contains a patch that disables roaming:
https://git.centos.org/commitdiff/rpms!openssh.git/1edce7e6bfedb27a163f35bcacab620a703408ac
Yes, thank you, I saw it yesterday in my e-mail from yum.
I am not happy that this bug existed, undocumented features enabled by
default are not a good thing.
However that this bug was found demonstrates a success of the Open
Source philosophy. I don't know this would have been found in a closed
source SSH implementation.
Open Source works.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
