Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 763048 (CVE-2020-14145) - <net-misc/openssh-8.4_p1: info leak in algorithm negotiation (CVE-2020-14145)
Summary: <net-misc/openssh-8.4_p1: info leak in algorithm negotiation (CVE-2020-14145)
Status: RESOLVED FIXED
Alias: CVE-2020-14145
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: A4 [glsa+ cve]
Keywords:
Depends on: 751484
Blocks:
  Show dependency tree
 
Reported: 2021-01-02 06:29 UTC by John Helmert III
Modified: 2021-05-26 10:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-01-02 06:29:31 UTC
CVE-2020-14145:

The client side in OpenSSH 5.7 through 8.3 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client).

Patch: https://anongit.mindrot.org/openssh.git/commit/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d
Comment 1 Larry the Git Cow gentoo-dev 2021-02-06 13:49:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6c78ffd4871e513b3c7ef6599503b446929b7ace

commit 6c78ffd4871e513b3c7ef6599503b446929b7ace
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2021-02-06 13:48:26 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2021-02-06 13:48:26 +0000

    net-misc/openssh: security cleanup (#763048)
    
    Bug: https://bugs.gentoo.org/763048
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-misc/openssh/Manifest                 |  13 -
 net-misc/openssh/openssh-8.1_p1-r5.ebuild | 471 ---------------------------
 net-misc/openssh/openssh-8.2_p1-r8.ebuild | 486 ----------------------------
 net-misc/openssh/openssh-8.3_p1-r6.ebuild | 511 ------------------------------
 4 files changed, 1481 deletions(-)
Comment 2 Thomas Deutschmann gentoo-dev Security 2021-05-24 00:23:32 UTC
New GLSA request filed.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 10:37:32 UTC
This issue was resolved and addressed in
 GLSA 202105-35 at https://security.gentoo.org/glsa/202105-35
by GLSA coordinator Thomas Deutschmann (whissi).