Help

CVE-2016-0777 and CVE-2016-0778...oy vey

donmontalvo
Esteemed Contributor III

Posted on ‎01-19-2016 12:42 PM

Doesn't look like 10.11.3 (released today) fix either of these OpenSSH vulnerabilities:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0777
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0778

EA to identify computers that don't have the fix for /etc/ssh_config or /etc/ssh/ssh_config, hope Apple releases a fix before 10.11.4.

TIA,
Don

--
https://donmontalvo.com
0 Kudos
2 REPLIES 2

mthakur
Contributor

Posted on ‎01-20-2016 06:24 AM

Until Apple patches it, this is relatively easy to mitigate. From the OpenSSH advisory:

MITIGATION: For OpenSSH >= 5.4 the vulnerable code in the client can be completely disabled by adding 'UseRoaming no' to the gobal ssh_config(5) file, or to user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on the command line.
0 Kudos

donmontalvo
Esteemed Contributor III

Posted on ‎01-21-2016 03:15 PM

Should be pretty easy to see if /etc/ssh_config ior /etc/ssh/ssh_config has "UseRoaming no" and if not, add it. Hoping for a patch though.

--
https://donmontalvo.com
0 Kudos