NAS Posted January 14, 2016 Share Posted January 14, 2016 http://undeadly.org/cgi?action=article&sid=20160114142733 As it stands this looks like it will be an urgent fix to deploy. * SECURITY: ssh(1): The OpenSSH client code between 5.4 and 7.1 contains experimential support for resuming SSH-connections (roaming). The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys. The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers. MITIGATION: For OpenSSH >= 5.4 the vulnerable code in the client can be completely disabled by adding 'UseRoaming no' to the gobal ssh_config(5) file, or to user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on the command line. Quote Link to comment
jonp Posted January 15, 2016 Share Posted January 15, 2016 http://undeadly.org/cgi?action=article&sid=20160114142733 As it stands this looks like it will be an urgent fix to deploy. * SECURITY: ssh(1): The OpenSSH client code between 5.4 and 7.1 contains experimential support for resuming SSH-connections (roaming). The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys. The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers. MITIGATION: For OpenSSH >= 5.4 the vulnerable code in the client can be completely disabled by adding 'UseRoaming no' to the gobal ssh_config(5) file, or to user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on the command line. While we will patch this, it's actually not as urgent as you think. This is an SSH CLIENT issue, not a server issue. While we do include the ssh client with unRAID, the bug is only relevant if you are using it to initiate an SSH session from unRAID to another system, which isn't something we directly support or suggest (it would require you to login via command line to do this). Connections TO unRAID from other devices does not make unRAID vulnerable to this bug. Quote Link to comment
WeeboTech Posted January 15, 2016 Share Posted January 15, 2016 Keep in mind that some people use rsync over ssh to remote servers locally and over the internet (and over a VPN). Quote Link to comment
jonp Posted January 15, 2016 Share Posted January 15, 2016 Keep in mind that some people use rsync over ssh to remote servers locally and over the internet (and over a VPN). Which is why we will patch it, but that isn't technically something we directly support or even suspect a large percentage of our users to be doing. Just trying to highlight the difference in criticalness between this type of bug that only affects a few extra savvy users compared to the majority that restrict themselves to the confines our what unRAID OS provides through the webgui. Quote Link to comment
jonp Posted January 16, 2016 Share Posted January 16, 2016 Just an FYI, this is now patched in 6.1.7!! Hoping to see a release tonight!! Quote Link to comment
sparklyballs Posted January 16, 2016 Share Posted January 16, 2016 Just an FYI, this is now patched in 6.1.7!! Hoping to see a release tonight!! soon™ has been retired ? Quote Link to comment
NAS Posted January 16, 2016 Author Share Posted January 16, 2016 Just an FYI, this is now patched in 6.1.7!! Hoping to see a release tonight!! Good news. However can you confirm this as openssh (SSA:2016-014-01) was not in the release notes Quote Link to comment
jonp Posted January 16, 2016 Share Posted January 16, 2016 Just an FYI, this is now patched in 6.1.7!! Hoping to see a release tonight!! Good news. However can you confirm this as openssh (SSA:2016-014-01) was not in the release notes Yes, Eric caught we missed that in the release notes but its actually there. Quote Link to comment
NAS Posted January 18, 2016 Author Share Posted January 18, 2016 Please update the release notes to close down this CVE as complete and solved. Compliments on the fast turn around. Quote Link to comment
NAS Posted January 26, 2016 Author Share Posted January 26, 2016 Polite 8 day bump. LT official release notes do not document this patch. Marking as fixed as dedicated release note bug posted here http://lime-technology.com/forum/index.php?topic=45799.0 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.