From ${URL} : A memory exhaustion issue in OpenSSH that can be triggered before user authentication was found. An unauthenticated attacker could consume approx. 400 MB of memory per each connection. The attacker could set up multiple such connections to run out of server’s memory. Affected versions: openssh-6.8p1, openssh-6.9p1, openssh-7.0p1, openssh-7.1p1, openssh-7.2p1, openssh-7.3p1. Upstream patch: https://github.com/openssh/openssh-portable/commit/ec165c392ca54317dbe3064a8c200de6531e89ad @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
commit 4a9ab68a607415d932b524eab2f523d1e9ce77e1 Author: Patrick McLean <chutzpah@gentoo.org> Date: Mon Oct 17 10:48:45 2016 -0700 net-misc/openssh: Revision bump, add patch to fix a preauth memory consumption issue Gentoo-Bug: 597360 Package-Manager: portage-2.3.2 Stabilization of this should be fine.
@arches, please stabilize: =net-misc/openssh-7.3_p1-r7
amd64 stable
x86 stable
Stable on alpha.
Stable for HPPA PPC64.
arm stable
ppc stable
sparc stable
ia64 stable. Maintainer(s), please cleanup.
arm stable, all arches done.
This issue was resolved and addressed in GLSA 201612-18 at https://security.gentoo.org/glsa/201612-18 by GLSA coordinator Aaron Bauman (b-man).
@maintainer(s), reopened for cleanup.
Cleanup PR: https://github.com/gentoo/gentoo/pull/3405
Cleaned up via 72c64a401d9595aa1da76ae25eda2b9e13b5234a
*** Bug 606144 has been marked as a duplicate of this bug. ***
