VanDyke Software Forums

VanDyke Software Forums (https://forums.vandyke.com/index.php)
-   General (https://forums.vandyke.com/forumdisplay.php?f=11)
-   -   Critical Secure Bug in openSSH! (https://forums.vandyke.com/showthread.php?t=12206)

MUQRIN 01-16-2016 11:55 PM

Critical Secure Bug in openSSH!
 
Gentlemen,

There's some new about a critical bug when using openSSH. We would like to be sure that SecureCRT is protected against this security bug. Please refer to the link below:
http://thehackernews.com/2016/01/ope...okeys.html?m=1

Regards,

bgagnon 01-18-2016 07:13 AM

Hi Muqrin,

Our initial findings indicate that the CVE-2016-0777 (information leak) and CVE-2016-0778 (buffer overflow) vulnerabilities are specific to OpenSSH client code from version 5.4 to 7.1.

VanDyke Software products do not share/use OpenSSH code. Therefore this vulnerability does not apply to any VanDyke Software product.

If our investigation yields anything other than our initial findings, we will be sure to post in this forum thread.

If you prefer direct email notification, send an email to support@vandyke.com and include "Forum Thread #12206" in the subject line.

jdev 01-19-2016 03:08 PM

Summary
CVE-2016-0777 (information leak) and CVE-2016-0778 (buffer overflow) vulnerabilities are not applicable to VanDyke Software products.

Description
CVE-2016-0777 (information leak) and CVE-2016-0778 (buffer overflow) vulnerabilities are specific to OpenSSH client code from version 5.4 to 7.1 in which some left-over code from an experimental "roaming" feature is the root cause of these vulnerabilities.
VanDyke Software products do not share or use OpenSSH code, nor is the "roaming" feature implemented or supported in any way. These vulnerabilities are not applicable to any VanDyke Software product.
Products Affected
These vulnerabilities are not present in any VanDyke Software products.

Details
The information leak (CVE-2016-0777) is specific to the OpenSSH support of a "resume@appgate.com" key exchange algorithm and an SSH protocol request of "roaming@appgate.com", both of which are directly tied to OpenSSH's experimental "roaming" feature, which is not present in any VanDyke Software product.

The buffer overflow vulnerability (CVE-2016-0778) is also specific to OpenSSH support of the experimental "roaming" feature, which is also not present in any VanDyke Software product.

Recommended Solution
VanDyke Software products arenít vulnerable to either CVE-2016-0777 or CVE-2016-0778.

Official Postings
https://www.qualys.com/2016/01/14/cv...-2016-0778.txt

.


All times are GMT -6. The time now is 05:33 PM.