it.ucsf.edu

Security Update:

Status Type

Security Update

Date and Time

Thursday, January 14, 2016 - 16:09

Reason

Security Update

Impact

Open SSH Users

 

WHAT HAPPENED?
Open SSH has released update 7.1.p2 to address a client information leak vulnerability.

Advanced Users: For a complete description of the security enhancements, software enhancements and affected software refer to Open SSH 7.1p2 Release Notes - http://www.openssh.com/txt/release-7.1p2.


AFFECTED SYSTEMS:

  • OpenSSH client code versions 5.4 through 7.1p1



WHAT’S THE PROBLEM?
A user that authenticates to a malicious or compromised server may reveal private data, including the user's private SSH key, or cause a buffer overflow that may lead to remote code execution in certain non-default configurations.


HOW DO I PROTECT MY WEB SITE?

1. Apply an update

2. If update is currently not an option, you may consider the following workaround, disable the 'UseRoaming' Feature:

  • The vulnerable code in the client can be completely disabled by adding 'UseRoaming no' to the global ssh_config(5) file, or to user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on the command line.



RELATED LINKS