OpenSSH: information leak in ssh client (CVE-2016-0777)

  • 7017180
  • 21-Jan-2016
  • 27-Jan-2016

Environment

Novell Filr 1.2
Novell Filr 1.1

Situation

Since version 5.4 (released on March 8, 2010), the OpenSSH client supports an undocumented feature called "roaming": If the connection to a SSH server breaks unexpectedly and if the server supports roaming as well, the client is able to reconnect to the server and resume the suspended SSH session.

Although roaming is not supported by the OpenSSH server, it is enabled by default in the OpenSSH client and contain an information leak (memory disclosure that can be exploited by a malicious SSH server or a trusted but compromised server).

Imporant: As mentioned above this is a Client vulnerability, not a server vulnerability.

Resolution

A fix for this issue is available in the Filr 1.2 Security Update 1 / Filr 1.1 Security Update 5, available via the Novell Patch Finder.

Additional Information

Feedback service temporarily unavailable. For content questions or problems, please contact Support.