OpenSSH security bulletins CVE-2016-0777 & CVE-2016-0778

The OpenSSH project has disclosed two new security issues affecting their OpenSSH client software when connecting to a rogue server.

Affected Products

  • Coda 1
  • Coda 2 Terminal and MySQL connections
  • Transmit 4 (and older versions)

Unaffected Products

  • Coda 2 file transfers
  • Coda for iOS
  • Transmit for iOS
  • Prompt
  • Status Board

Mitigation

Apple will need to release an update to the built-in OpenSSH client software found on Mac OS X. Until then, users can protect themselves by doing the following:

CVE-2016-0777

  1. Open the Terminal application
  2. Type cd ~/.ssh/ and press return
  3. Type open . and press return
  4. Open the file config in TextEdit
  5. At the top of the file add the following line UseRoaming no
  6. Save and close the file

CVE-2016-0778

Disable the use of the following ssh configuration options until the client software is patched:

  • ProxyCommand
  • ForwardAgent
  • ForwardX11

Notice: These options are disabled in a default configuration.