Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 763048 (CVE-2020-14145)

Summary: <net-misc/openssh-8.4_p1: info leak in algorithm negotiation (CVE-2020-14145)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A4 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 751484    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-02 06:29:31 UTC

The client side in OpenSSH 5.7 through 8.3 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client).

Comment 1 Larry the Git Cow gentoo-dev 2021-02-06 13:49:08 UTC
The bug has been referenced in the following commit(s):

commit 6c78ffd4871e513b3c7ef6599503b446929b7ace
Author:     Thomas Deutschmann <>
AuthorDate: 2021-02-06 13:48:26 +0000
Commit:     Thomas Deutschmann <>
CommitDate: 2021-02-06 13:48:26 +0000

    net-misc/openssh: security cleanup (#763048)
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Thomas Deutschmann <>

 net-misc/openssh/Manifest                 |  13 -
 net-misc/openssh/openssh-8.1_p1-r5.ebuild | 471 ---------------------------
 net-misc/openssh/openssh-8.2_p1-r8.ebuild | 486 ----------------------------
 net-misc/openssh/openssh-8.3_p1-r6.ebuild | 511 ------------------------------
 4 files changed, 1481 deletions(-)
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2021-05-24 00:23:32 UTC
New GLSA request filed.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 10:37:32 UTC
This issue was resolved and addressed in
 GLSA 202105-35 at
by GLSA coordinator Thomas Deutschmann (whissi).