From release notes (https://www.openssh.com/txt/release-8.6): Security
* sshd(8): OpenSSH 8.5 introduced the LogVerbose keyword. When this
option was enabled with a set of patterns that activated logging
in code that runs in the low-privilege sandboxed sshd process, the
log messages were constructed in such a way that printf(3) format
strings could effectively be specified the low-privilege code.
An attacker who had sucessfully exploited the low-privilege
process could use this to escape OpenSSH's sandboxing and attack
the high-privilege process. Exploitation of this weakness is
highly unlikely in practice as the LogVerbose option is not
enabled by default and is typically only used for debugging. No
vulnerabilities in the low-privilege process are currently known
Thanks to Ilja Van Sprundel for reporting this bug.
The bug has been referenced in the following commit(s):
Author: Patrick McLean <firstname.lastname@example.org>
AuthorDate: 2021-04-23 23:14:10 +0000
Commit: Patrick McLean <email@example.com>
CommitDate: 2021-04-23 23:14:16 +0000
net-misc/openssh-8.6_p1: revbump, add X509 patch
Package-Manager: Portage-3.0.18, Repoman-3.0.3
Signed-off-by: Patrick McLean <firstname.lastname@example.org>
net-misc/openssh/Manifest | 1 +
.../files/openssh-8.6_p1-X509-glue-13.1.patch | 72 +++++
.../files/openssh-8.6_p1-hpn-15.2-X509-glue.patch | 357 +++++++++++++++++++++
...nssh-8.6_p1.ebuild => openssh-8.6_p1-r1.ebuild} | 4 +-
4 files changed, 432 insertions(+), 2 deletions(-)
No CVE. Gentoo became "affected" when 8.5 was stabilized via bug 774090. Upstream fix is https://github.com/openssh/openssh-portable/commit/faf2b86a46c9281d237bcdec18c99e94a4eb820a. However, there is no known way to trigger this. Even when all pre requirements are met (running with LogVerbose) you still need to find a way to exploit the low-privilege process which would be an own vulnerability.
We will stabilize 8.6 due to this but no GLSA until CVE/situation will change.
Unable to check for sanity:
> no match for package: net-misc/openssh-8.6_p1-r1