security information / 2016 / security information -- dsa-3446-1 openssh
Debian Security Advisory
DSA-3446-1 openssh -- security update
Date Reported:
14 Jan 2016
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 810984.
In Mitre's CVE dictionary: CVE-2016-0777, CVE-2016-0778.
More information:
The Qualys Security team discovered two vulnerabilities in the roaming code of the OpenSSH client (an implementation of the SSH protocol suite).
SSH roaming enables a client, in case an SSH connection breaks unexpectedly, to resume it at a later time, provided the server also supports it.
The OpenSSH server doesn't support roaming, but the OpenSSH client supports it (even though it's not documented) and it's enabled by default.
This security update completely disables the roaming code in the OpenSSH client.
It is also possible to disable roaming by adding the (undocumented) option UseRoaming no to the global /etc/ssh/ssh_config file, or to the user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on the command line.
Users with passphrase-less private keys, especially in non interactive setups (automated jobs using ssh, scp, rsync+ssh etc.) are advised to update their keys if they have connected to an SSH server they don't trust.
More details about identifying an attack and mitigations will be available in the Qualys Security Advisory.
For the oldstable distribution (wheezy), these problems have been fixed in version 1:6.0p1-4+deb7u3.
For the stable distribution (jessie), these problems have been fixed in version 1:6.7p1-5+deb8u1.
For the testing distribution (stretch) and unstable distribution (sid), these problems will be fixed in a later version.
We recommend that you upgrade your openssh packages.
This page is also available in the following languages:
dansk français Русский (Russkij) svenska
How to set the default document language
To report a problem with the web site, please e-mail our publicly archived mailing list in English. For other contact information, see the Debian contact page. Web site source code is available.
Last Modified: Fri, Jun 1 18:42:17 UTC 2018   Last Built: Sat, Aug 28 00:36:16 UTC 2021
Copyright © 2016-2021 SPI and others; See license terms
Debian is a registered trademark of Software in the Public Interest, Inc.