* SECURITY: ssh(1): The OpenSSH client code between 5.4 and 7.1 contains experimential support for resuming SSH-connections (roaming). The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys. The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers. MITIGATION: For OpenSSH >= 5.4 the vulnerable code in the client can be completely disabled by adding 'UseRoaming no' to the gobal ssh_config(5) file, or to user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on the command line. PATCH: See below for a patch to disable this feature (Disabling Roaming in the Source Code). This problem was reported by the Qualys Security Advisory team.
Working on it...
commit ad9f88e38be8085905214a94bc48913b095bd85a Author: Lars Wendler <polynomial-c@gentoo.org> Date: Thu Jan 14 16:30:58 2016 net-misc/openssh: Security bump for CVE-2016-0777 (bug #571892). Package-Manager: portage-2.2.26 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> This revision bump only fixes CVE-2016-0777 and not the other two security fixes which went into openssh-7.1p2 The 7.1p2 release requires work on the hpn patches so I decided to release a fixed version for this CVE first. Arches please test and mark stable =net-misc/openssh-7.1_p1-r3 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux
> The 7.1p2 release requires work on the hpn patches so I decided to release a > fixed version for this CVE first. This has happened before. I think it is not a good situation when the hpn patches delay the deployment of openssh security fixes. (I also wonder why hpn is enabled by default - very likely these patches got much less security review than stock openssh and also enable potentially dangerous features.)
(In reply to Lars Wendler (Polynomial-C) from comment #2) i'll take care of the hpn bump
*** Bug 571930 has been marked as a duplicate of this bug. ***
Please note the release notes mention two additional security issues not related to roaming: * SECURITY: Eliminate the fallback from untrusted X11-forwarding to trusted forwarding for cases when the X server disables the SECURITY extension. Reported by Thomas Hoger. * SECURITY: Fix an out of-bound read access in the packet handling code. Reported by Ben Hawkes. They're probably not very severe, but should be kept in mind. https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034680.html
amd64 stable
7.1p2 is now in the tree with various updates
Thank you vapier. Unfortunately I didn't have enough time to finish this yesterday By the way, sorry I didn't test USE="-hpn X509" properly. Arches please test and mark stable =net-misc/openssh-7.1_p2 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux
stable for alpha/amd64/arm/ia64/ppc/ppc64/s390/sh/sparc/x86
(In reply to Agostino Sarubbo from comment #10) > stable for alpha/amd64/arm/ia64/ppc/ppc64/s390/sh/sparc/x86 Testing 10 different platforms in under an hour. That's really impressive.
i've done the few remaining ones now
(In reply to Jeroen Roovers from comment #11) > Testing 10 different platforms in under an hour. That's really impressive. Automated tests?
maintainer please cleanup
This issue was resolved and addressed in GLSA 201601-01 at https://security.gentoo.org/glsa/201601-01 by GLSA coordinator Yury German (BlueKnight).
Cleanup needs to be completed.
commit 0a6f7c3566cca467497f37ff9ea82c4767f14a2b Author: Lars Wendler <polynomial-c@gentoo.org> Date: Sat Jun 11 14:29:14 2016 net-misc/openssh: Security cleanup (bug #571892). Kept latest ebuild with hpn USE flag as it's ~arch anyway and gets superseded by the latest "secure" version anyway. Package-Manager: portage-2.2.28 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Lars, thanks for quick cleanup!
