Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 763048 (CVE-2020-14145) - <net-misc/openssh-8.4_p1: info leak in algorithm negotiation (CVE-2020-14145)
Summary: <net-misc/openssh-8.4_p1: info leak in algorithm negotiation (CVE-2020-14145)
Alias: CVE-2020-14145
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: A4 [glsa+ cve]
Depends on: 751484
  Show dependency tree
Reported: 2021-01-02 06:29 UTC by John Helmert III
Modified: 2021-05-26 10:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-02 06:29:31 UTC

The client side in OpenSSH 5.7 through 8.3 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client).

Comment 1 Larry the Git Cow gentoo-dev 2021-02-06 13:49:08 UTC
The bug has been referenced in the following commit(s):

commit 6c78ffd4871e513b3c7ef6599503b446929b7ace
Author:     Thomas Deutschmann <>
AuthorDate: 2021-02-06 13:48:26 +0000
Commit:     Thomas Deutschmann <>
CommitDate: 2021-02-06 13:48:26 +0000

    net-misc/openssh: security cleanup (#763048)
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Thomas Deutschmann <>

 net-misc/openssh/Manifest                 |  13 -
 net-misc/openssh/openssh-8.1_p1-r5.ebuild | 471 ---------------------------
 net-misc/openssh/openssh-8.2_p1-r8.ebuild | 486 ----------------------------
 net-misc/openssh/openssh-8.3_p1-r6.ebuild | 511 ------------------------------
 4 files changed, 1481 deletions(-)
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2021-05-24 00:23:32 UTC
New GLSA request filed.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 10:37:32 UTC
This issue was resolved and addressed in
 GLSA 202105-35 at
by GLSA coordinator Thomas Deutschmann (whissi).