CVE-2014-2653
Published: 27 March 2014
The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate.
Notes
| Author | Note |
|---|---|
| mdeslaur | code is different in lucid, and doesn't seem vulnerable |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
openssh Launchpad, Ubuntu, Debian |
upstream |
Needs triage
|
| lucid |
Not vulnerable
|
|
| precise |
Released
(1:5.9p1-5ubuntu1.3)
|
|
| quantal |
Released
(1:6.0p1-3ubuntu1.2)
|
|
| saucy |
Released
(1:6.2p2-6ubuntu0.3)
|
|
|
Patches: vendor: http://anonscm.debian.org/gitweb/?p=pkg-ssh/openssh.git;a=commit;h=63d5fa28e16d96db6bac2dbe3fcecb65328f8966 upstream: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshconnect.c.diff?r1=1.246;r2=1.247 |
||