Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2024-39894

Published: 2 July 2024

OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g., for su and Sudo) because of an ObscureKeystrokeTiming logic error. Similarly, other timing attacks against keystroke entry could occur.

Notes

AuthorNote
seth-arnold
openssh-ssh1 is provided for compatibility with old devices
that
cannot be upgraded to modern protocols. Thus we may not
provide security
support for this package if doing so would prevent access to
equipment.
mdeslaur
This is a feature introduced in 9.5, previous versions don't
have this feature at all.

Priority

Medium

Status

Package Release Status
openssh
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
focal Not vulnerable
(code not present)
jammy Not vulnerable
(code not present)
mantic Not vulnerable
(code not present)
noble
Released (1:9.6p1-3ubuntu13.4)
trusty Not vulnerable
(code not present)
upstream
Released (9.8)
xenial Not vulnerable
(code not present)
Patches:
upstream: https://github.com/openssh/openssh-portable/commit/146c420d29d055cc75c8606327a1cf8439fe3a08
openssh-ssh1
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
focal Not vulnerable
(code not present)
jammy Not vulnerable
(code not present)
mantic Not vulnerable
(code not present)
noble Not vulnerable
(code not present)
upstream Ignored
(frozen on openssh 7.5p)