Rapid7 VulnDB

RHSA-2016:0043: openssh security update

Back to Search

RHSA-2016:0043: openssh security update

Severity
7
CVSS
(AV:N/AC:H/Au:S/C:P/I:P/A:P)
Published
01/14/2016
Created
07/25/2018
Added
01/18/2016
Modified
03/21/2018

Description

OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation.These packages include the core files necessary for both the OpenSSH clientand server.An information leak flaw was found in the way the OpenSSH client roamingfeature was implemented. A malicious server could potentially use this flawto leak portions of memory (possibly including private SSH keys) of asuccessfully authenticated OpenSSH client. (CVE-2016-0777)A buffer overflow flaw was found in the way the OpenSSH client roamingfeature was implemented. A malicious server could potentially use this flawto execute arbitrary code on a successfully authenticated OpenSSH client ifthat client used certain non-default configuration options. (CVE-2016-0778)Red Hat would like to thank Qualys for reporting these issues.All openssh users are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues. After installing thisupdate, the OpenSSH server daemon (sshd) will be restarted automatically.

Solution(s)

  • redhat-upgrade-openssh
  • redhat-upgrade-openssh-askpass
  • redhat-upgrade-openssh-clients
  • redhat-upgrade-openssh-debuginfo
  • redhat-upgrade-openssh-keycat
  • redhat-upgrade-openssh-ldap
  • redhat-upgrade-openssh-server
  • redhat-upgrade-openssh-server-sysvinit
  • redhat-upgrade-pam_ssh_agent_auth

References

  • redhat-upgrade-openssh
  • redhat-upgrade-openssh-askpass
  • redhat-upgrade-openssh-clients
  • redhat-upgrade-openssh-debuginfo
  • redhat-upgrade-openssh-keycat
  • redhat-upgrade-openssh-ldap
  • redhat-upgrade-openssh-server
  • redhat-upgrade-openssh-server-sysvinit
  • redhat-upgrade-pam_ssh_agent_auth

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;