Probably worth a read...
http://www.openssh.com/txt/release-7.1p2
Important SSH patch coming soon. For now, everyone on all operating systems, please do the following:
Add undocumented "UseRoaming no" to ssh_config or use "-oUseRoaming=no" to prevent upcoming #openssh client bug CVE-2016-0777. More later.
echo "UseRoaming no" >> /etc/ssh/ssh_config
Michael H wrote:
Probably worth a read...
http://www.openssh.com/txt/release-7.1p2
Important SSH patch coming soon. For now, everyone on all operating systems, please do the following:
Add undocumented "UseRoaming no" to ssh_config or use "-oUseRoaming=no" to prevent upcoming #openssh client bug CVE-2016-0777. More later.
echo "UseRoaming no" >> /etc/ssh/ssh_config
Please clarify - will the update add *Roam* to /etc/ssh/ssh_config? I've just checked on two systems that are CentOS 7, a server, and a workstation that I literally built yesterday, and grep -i on both reports "no, not here".
mark
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 01/14/2016 05:34 PM, m.roth@5-cent.us wrote:
Michael H wrote:
Probably worth a read...
http://www.openssh.com/txt/release-7.1p2
Important SSH patch coming soon. For now, everyone on all operating systems, please do the following:
Add undocumented "UseRoaming no" to ssh_config or use "-oUseRoaming=no" to prevent upcoming #openssh client bug CVE-2016-0777. More later.
echo "UseRoaming no" >> /etc/ssh/ssh_config
Please clarify - will the update add *Roam* to /etc/ssh/ssh_config?
It will fix the bug.
I've just checked on two systems that are CentOS 7, a server, and a workstation that I literally built yesterday, and grep -i on both reports "no, not here".
Yes, as it's undocumented, but enabled since about 2010. Even OpenBSD 5.9 (pre-release, it's going to be released on May 1st, 2016) does not mention it.
Timo
mark
Timo Schöler wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 01/14/2016 05:34 PM, m.roth@5-cent.us wrote:
Michael H wrote:
Probably worth a read...
http://www.openssh.com/txt/release-7.1p2
Important SSH patch coming soon. For now, everyone on all operating systems, please do the following:
Add undocumented "UseRoaming no" to ssh_config or use "-oUseRoaming=no" to prevent upcoming #openssh client bug CVE-2016-0777. More later.
echo "UseRoaming no" >> /etc/ssh/ssh_config
Please clarify - will the update add *Roam* to /etc/ssh/ssh_config?
It will fix the bug.
I've just checked on two systems that are CentOS 7, a server, and a workstation that I literally built yesterday, and grep -i on both reports "no, not here".
Yes, as it's undocumented, but enabled since about 2010. Even OpenBSD 5.9 (pre-release, it's going to be released on May 1st, 2016) does not mention it.
Undocumented? You're saying that there's a feature that is configurable via the configuration file, and there's no mention of it at all in the configuration file, not even the default?
That is more than slightly unacceptable.
mark
On Thu, January 14, 2016 11:46 am, m.roth@5-cent.us wrote:
Timo Schöler wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 01/14/2016 05:34 PM, m.roth@5-cent.us wrote:
Michael H wrote:
Probably worth a read...
http://www.openssh.com/txt/release-7.1p2
Important SSH patch coming soon. For now, everyone on all operating systems, please do the following:
Add undocumented "UseRoaming no" to ssh_config or use "-oUseRoaming=no" to prevent upcoming #openssh client bug CVE-2016-0777. More later.
echo "UseRoaming no" >> /etc/ssh/ssh_config
Please clarify - will the update add *Roam* to /etc/ssh/ssh_config?
It will fix the bug.
I've just checked on two systems that are CentOS 7, a server, and a workstation that I literally built yesterday, and grep -i on both reports "no, not here".
Yes, as it's undocumented, but enabled since about 2010. Even OpenBSD 5.9 (pre-release, it's going to be released on May 1st, 2016) does not mention it.
Undocumented? You're saying that there's a feature that is configurable via the configuration file, and there's no mention of it at all in the configuration file, not even the default?
That is more than slightly unacceptable.
More than agree! I was highly respecting OpenBSD project, especially for their openssh. After scandal with OpenBSD IPSEC stack backdoor accusations, my respect faded grossly, and I felt extremely happy my choice of system for servers fell on FreeBSD, not OpenBSD (for some independent reason)...
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Date: Thursday, January 14, 2016 12:49:57 -0600 From: Valeri Galtsev galtsev@kicp.uchicago.edu
On Thu, January 14, 2016 11:46 am, m.roth@5-cent.us wrote:
Timo Schöler wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 01/14/2016 05:34 PM, m.roth@5-cent.us wrote:
Michael H wrote:
Probably worth a read...
http://www.openssh.com/txt/release-7.1p2
Important SSH patch coming soon. For now, everyone on all operating systems, please do the following:
Add undocumented "UseRoaming no" to ssh_config or use "-oUseRoaming=no" to prevent upcoming #openssh client bug CVE-2016-0777. More later.
echo "UseRoaming no" >> /etc/ssh/ssh_config
Please clarify - will the update add *Roam* to /etc/ssh/ssh_config?
It will fix the bug.
I've just checked on two systems that are CentOS 7, a server, and a workstation that I literally built yesterday, and grep -i on both reports "no, not here".
Yes, as it's undocumented, but enabled since about 2010. Even OpenBSD 5.9 (pre-release, it's going to be released on May 1st, 2016) does not mention it.
Undocumented? You're saying that there's a feature that is configurable via the configuration file, and there's no mention of it at all in the configuration file, not even the default?
That is more than slightly unacceptable.
More than agree! I was highly respecting OpenBSD project, especially for their openssh. After scandal with OpenBSD IPSEC stack backdoor accusations, my respect faded grossly, and I felt extremely happy my choice of system for servers fell on FreeBSD, not OpenBSD (for some independent reason)...
Valeri
RH issued an update to address this a bit over an hour ago:
https://rhn.redhat.com/errata/RHSA-2016-0043.html
I expect that we'll see the CentOS version shortly.
On 14-01-2016 18:49, Valeri Galtsev wrote:
More than agree! I was highly respecting OpenBSD project, especially for their openssh. After scandal with OpenBSD IPSEC stack backdoor accusations, my respect faded grossly,
In what way do spurious accusations reflect on the accused, instead of the accuser?
I do agree that leaving code for an undocumented feature in the client was irresponsible, but that's an entirely different matter.
On Thu, Jan 14, 2016 at 11:34:18AM -0500, m.roth@5-cent.us wrote:
Michael H wrote:
Probably worth a read...
http://www.openssh.com/txt/release-7.1p2
Important SSH patch coming soon. For now, everyone on all operating systems, please do the following:
Add undocumented "UseRoaming no" to ssh_config or use "-oUseRoaming=no" to prevent upcoming #openssh client bug CVE-2016-0777. More later.
echo "UseRoaming no" >> /etc/ssh/ssh_config
Please clarify - will the update add *Roam* to /etc/ssh/ssh_config? I've just checked on two systems that are CentOS 7, a server, and a workstation that I literally built yesterday, and grep -i on both reports "no, not here".
That came from Theo (OpenBSD's Theo) and was called undocumented. So, my guess is that, in the client (not the server) there is a default of UseRoaming that doesn't show in the config file.
Note that this is something that affects ssh clients, not servers.
In article 5697CAB8.6090703@wemoto.com, Michael H michael@wemoto.com wrote:
Probably worth a read...
http://www.openssh.com/txt/release-7.1p2
Important SSH patch coming soon. For now, everyone on all operating systems, please do the following:
Add undocumented "UseRoaming no" to ssh_config or use "-oUseRoaming=no" to prevent upcoming #openssh client bug CVE-2016-0777. More later.
echo "UseRoaming no" >> /etc/ssh/ssh_config
It says this applies to OpenSSH 5.4 to 7.1.
So it would only affect CentOS7 and up, as C6 uses openssh-5.3.
Cheers Tony
On 14/01/16 17:54, Tony Mountifield wrote:
In article 5697CAB8.6090703@wemoto.com, Michael H michael-YC1br6QyVKfQT0dZR+AlfA@public.gmane.org wrote:
Probably worth a read...
http://www.openssh.com/txt/release-7.1p2
Important SSH patch coming soon. For now, everyone on all operating systems, please do the following:
Add undocumented "UseRoaming no" to ssh_config or use "-oUseRoaming=no" to prevent upcoming #openssh client bug CVE-2016-0777. More later.
echo "UseRoaming no" >> /etc/ssh/ssh_config
It says this applies to OpenSSH 5.4 to 7.1.
So it would only affect CentOS7 and up, as C6 uses openssh-5.3.
https://access.redhat.com/articles/2123781
On 01/14/2016 10:20 AM, Michael H wrote:
Probably worth a read...
http://www.openssh.com/txt/release-7.1p2
Important SSH patch coming soon. For now, everyone on all operating systems, please do the following:
Add undocumented "UseRoaming no" to ssh_config or use "-oUseRoaming=no" to prevent upcoming #openssh client bug CVE-2016-0777. More later.
echo "UseRoaming no" >> /etc/ssh/ssh_config
For the record, this update is now released (it was yesterday):
https://lists.centos.org/pipermail/centos-announce/2016-January/021614.html
This contains a patch that disables roaming: https://git.centos.org/commitdiff/rpms!openssh.git/1edce7e6bfedb27a163f35bca...
Thanks, Johnny Hughes
On 01/15/2016 06:39 AM, Johnny Hughes wrote:
On 01/14/2016 10:20 AM, Michael H wrote:
Probably worth a read...
http://www.openssh.com/txt/release-7.1p2
Important SSH patch coming soon. For now, everyone on all operating systems, please do the following:
Add undocumented "UseRoaming no" to ssh_config or use "-oUseRoaming=no" to prevent upcoming #openssh client bug CVE-2016-0777. More later.
echo "UseRoaming no" >> /etc/ssh/ssh_config
For the record, this update is now released (it was yesterday):
https://lists.centos.org/pipermail/centos-announce/2016-January/021614.html
This contains a patch that disables roaming: https://git.centos.org/commitdiff/rpms!openssh.git/1edce7e6bfedb27a163f35bca...
Yes, thank you, I saw it yesterday in my e-mail from yum.
I am not happy that this bug existed, undocumented features enabled by default are not a good thing.
However that this bug was found demonstrates a success of the Open Source philosophy. I don't know this would have been found in a closed source SSH implementation.
Open Source works.
Alice Wonder wrote:
On 01/15/2016 06:39 AM, Johnny Hughes wrote:
On 01/14/2016 10:20 AM, Michael H wrote:
Probably worth a read...
http://www.openssh.com/txt/release-7.1p2
Important SSH patch coming soon. For now, everyone on all operating systems, please do the following:
Add undocumented "UseRoaming no" to ssh_config or use "-oUseRoaming=no" to prevent upcoming #openssh client bug CVE-2016-0777. More later.
echo "UseRoaming no" >> /etc/ssh/ssh_config
For the record, this update is now released (it was yesterday):
https://lists.centos.org/pipermail/centos-announce/2016-January/021614.html
This contains a patch that disables roaming: https://git.centos.org/commitdiff/rpms!openssh.git/1edce7e6bfedb27a163f35bca...
Yes, thank you, I saw it yesterday in my e-mail from yum.
I am not happy that this bug existed, undocumented features enabled by default are not a good thing.
Complete agreement.
However that this bug was found demonstrates a success of the Open Source philosophy. I don't know this would have been found in a closed source SSH implementation.
Open Source works.
Yup. Certain closed-source coMpanie$ would be saying "what problem, there's no problem here, pay your money and move along...."
mark
I see that this is a CentOS 7 patch only, at least so far. I also see that the CentOS 6 ssh version is 5.3 > /usr/bin/ssh -V OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 which is supposedly not affected. However, strings indicates that /usr/bin/ssh is also aware for the useroaming configuration option: > strings /usr/bin/ssh | grep -i useroam useroaming Is it actually known that the ssh version shipped with CentOS 6 is not vulnerable, or is it just assumed based on the version number? The announcement implies that the roaming code itself was added in 5.4, not just that a default was changed, but if that’s really true, why is that string in the binary?
Noam
P.S. I do realize this is a question better directed to RedHat, but I’m hoping someone here might still know.
On Jan 15, 2016, at 9:39 AM, Johnny Hughes johnny@centos.org wrote:
For the record, this update is now released (it was yesterday):
https://lists.centos.org/pipermail/centos-announce/2016-January/021614.html
This contains a patch that disables roaming: https://git.centos.org/commitdiff/rpms!openssh.git/1edce7e6bfedb27a163f35bca...
Thanks, Johnny Hughes
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 01/15/2016 08:55 AM, Noam Bernstein wrote:
I see that this is a CentOS 7 patch only, at least so far. I also see that the CentOS 6 ssh version is 5.3
/usr/bin/ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 which is supposedly not affected. However, strings indicates that /usr/bin/ssh is also aware for the useroaming configuration option:
strings /usr/bin/ssh | grep -i useroam
useroaming Is it actually known that the ssh version shipped with CentOS 6 is not vulnerable, or is it just assumed based on the version number? The announcement implies that the roaming code itself was added in 5.4, not just that a default was changed, but if that’s really true, why is that string in the binary?
https://bugzilla.redhat.com/show_bug.cgi?id=1298032#c16
(see comment 16)
On Jan 15, 2016, at 10:31 AM, Johnny Hughes johnny@centos.org wrote:
On 01/15/2016 08:55 AM, Noam Bernstein wrote:
I see that this is a CentOS 7 patch only, at least so far. I also see that the CentOS 6 ssh version is 5.3
/usr/bin/ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 which is supposedly not affected. However, strings indicates that /usr/bin/ssh is also aware for the useroaming configuration option:
strings /usr/bin/ssh | grep -i useroam
useroaming Is it actually known that the ssh version shipped with CentOS 6 is not vulnerable, or is it just assumed based on the version number? The announcement implies that the roaming code itself was added in 5.4, not just that a default was changed, but if that’s really true, why is that string in the binary?
https://bugzilla.redhat.com/show_bug.cgi?id=1298032#c16
(see comment 16)
Yes, that answers my question. Thanks.
Noam
On Thu, Jan 14, 2016 at 8:20 AM, Michael H michael@wemoto.com wrote:
Probably worth a read... http://www.openssh.com/txt/release-7.1p2
For the sake of conversation...
Reading the Qualys security advisory is interesting as well, and I tend to think the vulnerability is not severe for a number of reasons: https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-20...
First, because versions 5.4 - 5.6 were not vulnerable to the information leak on GNU/Linux, though they were on BSD systems. Second, because later versions may have been able to leak private keys, but only incomplete copies of them. Last, because encrypted keys could only be leaked in their encrypted form, and keys used with an ssh-agent were not vulnerable to leaking at all.
The buffer overflow vulnerability seems more severe, but only if you're using a bastion host which is compromised. The vulnerability can only be triggered when using ProxyCommand. The buffer overflow also is not exploitable on OpenSSH 6.8, due to a bug introduced in that version.
-
Alice Wonder -
Gordon Messmer -
Johnny Hughes -
m.roth@5-cent.us -
Markus Falb -
Michael H -
Noam Bernstein -
Pedro Alexandre Ferreira Abranches Timóteo -
Richard -
Scott Robbins -
Timo Schöler -
tony@softins.co.uk -
Valeri Galtsev