CVE-2016-10708

Published: 21 January 2018

sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.

Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
openssh
Launchpad, Ubuntu, Debian 		Upstream
Released (1:7.4p1-1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(1:7.5p1-10)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(1:7.5p1-10)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1:7.5p1-10)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (1:7.2p2-4ubuntu2.6)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1:6.6p1-2ubuntu2.11)
Patches:
Upstream: https://anongit.mindrot.org/openssh.git/commit/?id=28652bca29046f62c7045e933e6b931de1d16737

Notes

AuthorNote
mdeslaur 
rated low as issue only allows crashing the per-connection
process, not the main daemon.

References

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading