Re: Fwd: Heads up: OpenSSH users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Thu, Jan 14, 2016 at 8:20 AM, Michael H <michael@xxxxxxxxxx> wrote:
> Probably worth a read...
> http://www.openssh.com/txt/release-7.1p2

For the sake of conversation...

Reading the Qualys security advisory is interesting as well, and I
tend to think the vulnerability is not severe for a number of reasons:
https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt

First, because versions 5.4 - 5.6 were not vulnerable to the
information leak on GNU/Linux, though they were on BSD systems.
Second, because later versions may have been able to leak private
keys, but only incomplete copies of them.  Last, because encrypted
keys could only be leaked in their encrypted form, and keys used with
an ssh-agent were not vulnerable to leaking at all.

The buffer overflow vulnerability seems more severe, but only if
you're using a bastion host which is compromised.  The vulnerability
can only be triggered when using ProxyCommand.  The buffer overflow
also is not exploitable on OpenSSH 6.8, due to a bug introduced in
that version.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux