Date and Time
Open SSH Users
Open SSH has released update 7.1.p2 to address a client information leak vulnerability.
Advanced Users: For a complete description of the security enhancements, software enhancements and affected software refer to Open SSH 7.1p2 Release Notes - http://www.openssh.com/txt/release-7.1p2.
- OpenSSH client code versions 5.4 through 7.1p1
WHAT’S THE PROBLEM?
A user that authenticates to a malicious or compromised server may reveal private data, including the user's private SSH key, or cause a buffer overflow that may lead to remote code execution in certain non-default configurations.
HOW DO I PROTECT MY WEB SITE?
1. Apply an update
- OpenSSH 7.1p2 at http://www.openssh.com/txt/release-7.1p2
2. If update is currently not an option, you may consider the following workaround, disable the 'UseRoaming' Feature:
- The vulnerable code in the client can be completely disabled by adding 'UseRoaming no' to the global ssh_config(5) file, or to user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on the command line.
- Vulnerability Note VU#456088 OpenSSH Client contains a client information leak vulnerability and buffer overflow - https://www.kb.cert.org/vuls/id/456088.
- IT Security - https://it.ucsf.edu/security