: Log in!

メインメニュー
Google


ウェブ 検索
サイト内検索
トップ  >  Linux16歩  >  2016-01-17 opensshのupdate
20160117 openssh-7.1p2にupdateしました


release-7.1

Changes since OpenSSH 7.1p1
===========================

 * SECURITY: ssh(1): The OpenSSH client code between 5.4 and 7.1
   contains experimental support for resuming SSH-connections(roaming).

   The matching server code has never been shipped, but the client
   code was enabled by default and could be tricked by a malicious
   server into leaking client memory to the server, including private
   client user keys.

   The authentication of the server host key prevents exploitation
   by a man-in-the-middle, so this information leak is restricted
   to connections to malicious or compromised servers.

   MITIGATION: For OpenSSH >= 5.4 the vulnerable code in the client
   can be completely disabled by adding 'UseRoaming no' to the gobal
   ssh_config(5) file, or to user configuration in ~/.ssh/config,
   or by passing -oUseRoaming=no on the command line.

   PATCH: See below for a patch to disable this feature (Disabling
   Roaming in the Source Code).

   This problem was reported by the Qualys Security Advisory team.

 * SECURITY: Fix an out of-bound read access in the packet handling
   code. Reported by Ben Hawkes.

 * PROTOCOL: Correctly interpret the 'first_kex_follows' option during
   the intial key exchange. Reported by Matt Johnston.

 * Further use of explicit_bzero has been added in various buffer
   handling code paths to guard against compilers aggressively
   doing dead-store removal.

・詳細はopensshサイトのリリースノートを参照してください
・(www.openssh.com/txt/release-7.1p2
・日本語訳は春山さんのサイト(haruyama.blog.jp/)

投票数:11 平均点:4.55
前
2016-01-10 ntpのupdate
カテゴリートップ
Linux16歩
次
2016-01-20 bindのupdate