> Date: Thursday, January 14, 2016 12:49:57 -0600 > From: Valeri Galtsev <galtsev at kicp.uchicago.edu> > > > On Thu, January 14, 2016 11:46 am, m.roth at 5-cent.us wrote: >> Timo Schöler wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA256 >>> >>> On 01/14/2016 05:34 PM, m.roth at 5-cent.us wrote: >>>> Michael H wrote: >>>>> Probably worth a read... >>>>> >>>>> http://www.openssh.com/txt/release-7.1p2 >>>>> >>>>>> Important SSH patch coming soon. For now, everyone on all >>>>>> operating systems, please do the following: >>>>>> >>>>>> Add undocumented "UseRoaming no" to ssh_config or use >>>>>> "-oUseRoaming=no" to prevent upcoming #openssh client bug >>>>>> CVE-2016-0777. More later. >>>>> >>>>> echo "UseRoaming no" >> /etc/ssh/ssh_config >>>> >>>> Please clarify - will the update add *Roam* to >>>> /etc/ssh/ssh_config? >>> >>> It will fix the bug. >>> >>>> I've just checked on two systems that are CentOS 7, a server, >>>> and a workstation that I literally built yesterday, and grep -i >>>> on both reports "no, not here". >>> >>> Yes, as it's undocumented, but enabled since about 2010. Even >>> OpenBSD 5.9 (pre-release, it's going to be released on May 1st, >>> 2016) does not mention it. >> >> Undocumented? You're saying that there's a feature that is >> configurable via the configuration file, and there's no mention >> of it at all in the configuration file, not even the default? >> >> That is more than slightly unacceptable. >> > > More than agree! I was highly respecting OpenBSD project, > especially for their openssh. After scandal with OpenBSD IPSEC > stack backdoor accusations, my respect faded grossly, and I felt > extremely happy my choice of system for servers fell on FreeBSD, > not OpenBSD (for some independent reason)... > > Valeri RH issued an update to address this a bit over an hour ago: <https://rhn.redhat.com/errata/RHSA-2016-0043.html> I expect that we'll see the CentOS version shortly.