This affects every OpenSSH version going back to 5.4 in 2010. If you use one of the affected versions, set "UseRoaming no" in your client's ssh_config until you can patch. The roaming code was ripped from the server portion of OpenSSH years ago, but it was left in the client code for all these years and was never documented. Here's some reading material which explains the bug in more detail:
http://undeadly.org/cgi?action=article&sid=20160114142733 Here's the analysis from Qualys, who reported the bug: https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt -- -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en --- You received this message because you are subscribed to the Google Groups "NLUG" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
