OpenSSH security bulletins CVE-2016-0777 & CVE-2016-0778

The OpenSSH project has disclosed two new security issues affecting their OpenSSH client software when connecting to a rogue server.

Affected Products

  • Coda 1
  • Coda 2 Terminal and MySQL connections
  • Transmit 4 (and older versions)

Unaffected Products

  • Coda 2 file transfers
  • Coda for iOS
  • Transmit for iOS
  • Prompt
  • Status Board


Apple will need to release an update to the built-in OpenSSH client software found on Mac OS X. Until then, users can protect themselves by doing the following:


  1. Open the Terminal application
  2. Type cd ~/.ssh/ and press return
  3. Type open . and press return
  4. Open the file config in TextEdit
  5. At the top of the file add the following line UseRoaming no
  6. Save and close the file


Disable the use of the following ssh configuration options until the client software is patched:

  • ProxyCommand
  • ForwardAgent
  • ForwardX11

Notice: These options are disabled in a default configuration.