OpenSSH clients between versions 5.4 and 7.1 are vulnerable to an information disclosure issue that may allow a malicious server to retrieve information including under some circumstances, user’s private keys. This may be mitigated by adding the undocumented config option UseRoaming no to ssh_config.
This bug is corrected in OpenSSH 7.1p2.
Severity
Moderate
CVE Number
This issue has been assigned CVE-2016-0777 and CVE-2016-0778. We expect more information to be added to the common vulnerability pages shortly.
Recommended Action for Linux Machines
- Install updated packages when available
- If updated packages are not yet available for your distribution, add “UseRoaming no” to /etc/ssh/ssh_config
Currently known package updates include, but are not limited to:
- https://lists.debian.org/debian-security-announce/2016/msg00015.html
- https://security-tracker.debian.org/tracker/CVE-2016-0777
- http://www.ubuntu.com/usn/usn-2869-1/
- https://rhn.redhat.com/errata/RHSA-2016-0043.html
More Information