leeand00's picture
leeand00 - Fri, 2016/01/15 - 16:03

Yesterday I read that there are some bugs tha have been found with OpenSSH, called CVE-2016-0777 and CVE-2016-0778, and I was just wondering if there has been a patch put out for TKL 13 yet or not.

Thank you,

   leeand00

Forum: 
Support
leeand00's picture

leeand00 - Fri, 2016/01/15 - 16:04

https://www.digitalocean.com/community/questions/openssh-client-bug-cve-2016-0777-and-cve-2016-0778

Jeremy Davis's picture

Jeremy Davis - Sat, 2016/01/16 - 00:27
So unless you use Linux on your desktop (or OpenSSH on Mac or Android) then you are not vulnerable. Having said that, TurnKey servers also include the client. It is probably rare that you would have used your TurnKey server to connect via SSH to another server but it is possible.

On the Debian security tracker (CVE-2016-0777 & CVE-2016-0778) you can see that Squeeze (v12.x - assuming LTS has been enabled), Wheezy (v13.0) & Jessie (v14.0) have all had patches released. Both v13 & v14 should have already installed these patched version (as per auto security updates). To check do this: 

apt-cache policy openssh-client
And check the version against the relevant "fixed" version noted on the Debian security tracker (links above).

FWIW, for bug to be exploited, it requires you to connect a vulnerable client to a malicious host. So if you have only used SSH to connect to known good servers then you should be fine.

However if you access any public servers via SSH (e.g. GitHub) then generating fresh SSH keys is probably a good idea to be on the safe side...

Add new comment