[CentOS] Fwd: Heads up: OpenSSH users

Thu Jan 14 22:06:32 UTC 2016
Richard <lists-centos at listmail.innovate.net>


> Date: Thursday, January 14, 2016 12:49:57 -0600
> From: Valeri Galtsev <galtsev at kicp.uchicago.edu>
>
> 
> On Thu, January 14, 2016 11:46 am, m.roth at 5-cent.us wrote:
>> Timo Schöler wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>> 
>>> On 01/14/2016 05:34 PM, m.roth at 5-cent.us wrote:
>>>> Michael H wrote:
>>>>> Probably worth a read...
>>>>> 
>>>>> http://www.openssh.com/txt/release-7.1p2
>>>>> 
>>>>>> Important SSH patch coming soon.  For now, everyone on all
>>>>>> operating systems, please do the following:
>>>>>> 
>>>>>> Add undocumented "UseRoaming no" to ssh_config or use
>>>>>> "-oUseRoaming=no" to prevent upcoming #openssh client bug
>>>>>> CVE-2016-0777. More later.
>>>>> 
>>>>> echo "UseRoaming no" >> /etc/ssh/ssh_config
>>>> 
>>>> Please clarify - will the update add *Roam* to
>>>> /etc/ssh/ssh_config?
>>> 
>>> It will fix the bug.
>>> 
>>>> I've just checked on two systems that are CentOS 7, a server,
>>>> and a workstation that I literally built yesterday, and grep -i
>>>> on both reports "no, not here".
>>> 
>>> Yes, as it's undocumented, but enabled since about 2010. Even
>>> OpenBSD 5.9 (pre-release, it's going to be released on May 1st,
>>> 2016) does not mention it.
>> 
>> Undocumented? You're saying that there's a feature that is
>> configurable via the configuration file, and there's no mention
>> of it at all in the configuration file, not even the default?
>> 
>> That is more than slightly unacceptable.
>> 
> 
> More than agree! I was highly respecting OpenBSD project,
> especially for their openssh. After scandal with OpenBSD IPSEC
> stack backdoor accusations, my respect faded grossly, and I felt
> extremely happy my choice of system for servers fell on FreeBSD,
> not OpenBSD (for some independent reason)...
> 
> Valeri


RH issued an update to address this a bit over an hour ago:

  <https://rhn.redhat.com/errata/RHSA-2016-0043.html>

I expect that we'll see the CentOS version shortly.