Skip to main content
Question

CVE-2016-0777 and CVE-2016-0778...oy vey

  • January 19, 2016
  • 2 replies
  • 25 views
donmontalvo
Forum|alt.badge.img+36

Doesn't look like 10.11.3 (released today) fix either of these OpenSSH vulnerabilities:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0777
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0778

EA to identify computers that don't have the fix for /etc/ssh_config or /etc/ssh/ssh_config, hope Apple releases a fix before 10.11.4.

TIA,
Don

--https://donmontalvo.com

    2 replies

    M
    Forum|alt.badge.img+7
    • mthakur
    • Valued Contributor
    • January 20, 2016

    Until Apple patches it, this is relatively easy to mitigate. From the OpenSSH advisory:

    MITIGATION: For OpenSSH >= 5.4 the vulnerable code in the client can be completely disabled by adding 'UseRoaming no' to the gobal ssh_config(5) file, or to user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on the command line.
    donmontalvo
    Forum|alt.badge.img+36
    • donmontalvo
    • Author
    • Hall of Fame
    • January 21, 2016

    Should be pretty easy to see if /etc/ssh_config ior /etc/ssh/ssh_config has "UseRoaming no" and if not, add it. Hoping for a patch though.

    --https://donmontalvo.com
    Terms & ConditionsCookie settingsAccessibility statement