Posted on 01-19-2016 12:42 PM
Doesn't look like 10.11.3 (released today) fix either of these OpenSSH vulnerabilities:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0777
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0778
EA to identify computers that don't have the fix for /etc/ssh_config or /etc/ssh/ssh_config, hope Apple releases a fix before 10.11.4.
TIA,
Don
Posted on 01-20-2016 06:24 AM
Until Apple patches it, this is relatively easy to mitigate. From the OpenSSH advisory:
MITIGATION: For OpenSSH >= 5.4 the vulnerable code in the client can be completely disabled by adding 'UseRoaming no' to the gobal ssh_config(5) file, or to user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on the command line.
Posted on 01-21-2016 03:15 PM
Should be pretty easy to see if /etc/ssh_config ior /etc/ssh/ssh_config has "UseRoaming no" and if not, add it. Hoping for a patch though.