DSA-3446-1 (SSH vulnerability)
This is a late update, and I’m definitely sorry for being late, but I promised to write it so I have to!
Ther will not be a maintenance release for the recent OpenSSH vulnerability.
The reason for it is insufficiently high risk. This is the first time we choose to ignore a vulnerability, but it’s so easy to hotfix on a live system that it hardly warrants an updated image.
It affects only the OpenSSH client, so remote attackers cannot use it for attacks on your VyOS machines. Config backup to SFTP uses libssh2 rather than the OpenSSH client, so it’s not affected.
The only case when you are vulnerable is connecting to untrusted or compromised servers from VyOS itself.
If you do have a habit of SSH'ing from VyOS, you can add this line to /etc/ssh/ssh_config for a hotfix:
UseRoaming no
Alternatively you can pull and install OpenSSH 5.5p1-6+squeeze8 from squeeze-lts repositories.
The update will be included in the lithium release.
If this is a serious concern for you and you routinely deploy new routers and don’t think it’s feasible to edit the SSH config on each of them, let us know, we can include the update in helium nightly builds that are otherwise frozen and safe to install on production machines.
Comments