From release notes (https://www.openssh.com/txt/release-8.6): Security ======== * sshd(8): OpenSSH 8.5 introduced the LogVerbose keyword. When this option was enabled with a set of patterns that activated logging in code that runs in the low-privilege sandboxed sshd process, the log messages were constructed in such a way that printf(3) format strings could effectively be specified the low-privilege code. An attacker who had sucessfully exploited the low-privilege process could use this to escape OpenSSH's sandboxing and attack the high-privilege process. Exploitation of this weakness is highly unlikely in practice as the LogVerbose option is not enabled by default and is typically only used for debugging. No vulnerabilities in the low-privilege process are currently known to exist. Thanks to Ilja Van Sprundel for reporting this bug.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dd069ebac8b0f15edc1dee19bb77f9611b5a812a commit dd069ebac8b0f15edc1dee19bb77f9611b5a812a Author: Patrick McLean <chutzpah@gentoo.org> AuthorDate: 2021-04-23 23:14:10 +0000 Commit: Patrick McLean <chutzpah@gentoo.org> CommitDate: 2021-04-23 23:14:16 +0000 net-misc/openssh-8.6_p1: revbump, add X509 patch Bug: https://bugs.gentoo.org/785034 Bug: https://bugs.gentoo.org/784896 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Patrick McLean <chutzpah@gentoo.org> net-misc/openssh/Manifest | 1 + .../files/openssh-8.6_p1-X509-glue-13.1.patch | 72 +++++ .../files/openssh-8.6_p1-hpn-15.2-X509-glue.patch | 357 +++++++++++++++++++++ ...nssh-8.6_p1.ebuild => openssh-8.6_p1-r1.ebuild} | 4 +- 4 files changed, 432 insertions(+), 2 deletions(-)
No CVE. Gentoo became "affected" when 8.5 was stabilized via bug 774090. Upstream fix is https://github.com/openssh/openssh-portable/commit/faf2b86a46c9281d237bcdec18c99e94a4eb820a. However, there is no known way to trigger this. Even when all pre requirements are met (running with LogVerbose) you still need to find a way to exploit the low-privilege process which would be an own vulnerability. We will stabilize 8.6 due to this but no GLSA until CVE/situation will change.
x86 done
arm64 done
amd64 done
arm done
sparc done
ppc done
ppc64 done
hppa done
Please cleanup.
Unable to check for sanity: > no match for package: net-misc/openssh-8.6_p1-r1
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=307230a6d1ac9ebf6a354de7f4ed60a4879e2fdc commit 307230a6d1ac9ebf6a354de7f4ed60a4879e2fdc Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2021-12-18 05:11:36 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2021-12-19 01:10:04 +0000 net-misc/openssh: drop 8.5_p1-r2 Bug: https://bugs.gentoo.org/784896 Acked-By: Sam James <sam@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> net-misc/openssh/Manifest | 3 - net-misc/openssh/openssh-8.5_p1-r2.ebuild | 510 ------------------------------ 2 files changed, 513 deletions(-)
Cleaned up. No GLSA, so all done!
