MGASA-2016-0022

Description

Updated openssh packages fix security vulnerabilities An information leak flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to leak portions of memory (possibly including private SSH keys) of a successfully authenticated OpenSSH client (CVE-2016-0777). A buffer overflow flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to execute arbitrary code on a successfully authenticated OpenSSH client if that client used certain non-default configuration options (CVE-2016-0778). The issue only affects OpenSSH clients making use of the ProxyCommand feature. This update disables the roaming feature completely.

Affected Systems

• mageia•openssh

  < 6.6p1-5.6.mga5

References (5)

• https://advisories.mageia.org/MGASA-2016-0022.html
• https://bugs.mageia.org/show_bug.cgi?id=17494
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0777
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0778
• http://www.openssh.com/security.html