[CentOS] Fwd: Heads up: OpenSSH users

Fri Jan 15 14:52:36 UTC 2016
m.roth at 5-cent.us <m.roth at 5-cent.us>

Alice Wonder wrote:
> On 01/15/2016 06:39 AM, Johnny Hughes wrote:
>> On 01/14/2016 10:20 AM, Michael H wrote:
>>> Probably worth a read...
>>>
>>> http://www.openssh.com/txt/release-7.1p2
>>>
>>>> Important SSH patch coming soon.  For now, everyone on all operating
>>>> systems, please do the following:
>>>>
>>>> Add undocumented "UseRoaming no" to ssh_config or use
>>>> "-oUseRoaming=no"
>>>> to prevent upcoming #openssh client bug CVE-2016-0777. More later.
>>>
>>> echo "UseRoaming no" >> /etc/ssh/ssh_config
>>
>> For the record, this update is now released (it was yesterday):
>>
>> https://lists.centos.org/pipermail/centos-announce/2016-January/021614.html
>>
>> This contains a patch that disables roaming:
>> https://git.centos.org/commitdiff/rpms!openssh.git/1edce7e6bfedb27a163f35bcacab620a703408ac
>
> Yes, thank you, I saw it yesterday in my e-mail from yum.
>
> I am not happy that this bug existed, undocumented features enabled by
> default are not a good thing.

Complete agreement.
>
> However that this bug was found demonstrates a success of the Open
> Source philosophy. I don't know this would have been found in a closed
> source SSH implementation.
>
> Open Source works.
>
Yup. Certain closed-source coMpanie$ would be saying "what problem,
there's no problem here, pay your money and move along...."

       mark