A buffer overflow flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to execute arbitrary code on a successfully authenticated OpenSSH client if that client used certain non-default configuration options.
A buffer-overflow was found in the way OpenSSH client handled roaming connections. This buffer overflow, is present in the default configuration of the OpenSSH client but its exploitation requires two non-default options: a ProxyCommand, and either ForwardAgent (-A) or ForwardX11 (-X).
This buffer-overflow is not exploitable in the default configuration of OpenSSH package shipped with Red Hat Enterprise Linux.
Red Hat would like to thank Qualys for reporting this issue.
Created openssh tracking bugs for this issue:
Affects: fedora-all [bug 1298630]
Public now via upstream release 7.1p2:
A detailed analysis of this issue was published by Qualys at:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:0043 https://rhn.redhat.com/errata/RHSA-2016-0043.html
Created gsi-openssh tracking bugs for this issue:
Affects: fedora-all [bug 1298817]
Affects: epel-7 [bug 1298818]
gsi-openssh-7.1p2-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
gsi-openssh-6.9p1-7.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
gsi-openssh-6.6.1p1-3.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.