Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20160114181128.GD16572@netmeister.org>
Date: Thu, 14 Jan 2016 13:11:29 -0500
From: Jan Schaumann <jschauma@...meister.org>
To: oss-security@...ts.openwall.com
Subject: Re: Qualys Security Advisory - Roaming through the
 OpenSSH client: CVE-2016-0777 and CVE-2016-0778

Qualys Security Advisory <qsa@...lys.com> wrote:
 
> Since version 5.4 (released on March 8, 2010), the OpenSSH client
> supports an undocumented feature called roaming:

Why is version 5.3 not affected?

The change appears to have been introduced in

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/clientloop.c.diff?r1=1.211&r2=1.212

https://github.com/openssh/openssh-portable/commit/c5564e1c4c41ae9af96973e2996e2a4285acbae8#diff-de6290efbc1504e2b727aee24e88db02

on 2009-05-28.

OpenSSH 5.3 appears to have been named in
https://github.com/openssh/openssh-portable/commit/cd6b1a27cbb9400565811f908ca536937d875b8f
on 2009-06-30.

I also see:

$ ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
$ ssh -o UseSomeBogusOption=yes `hostname` date
command-line: line 0: Bad configuration option: UseSomeBogusOption
$ ssh -o UseRoaming=no `hostname` date
Thu Jan 14 09:27:24 PST 2016
$ 

which suggests that OpenSSH 5.3p1 at the very least _knows_ about the
UseRoaming option.

-Jan

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.