CVE-2024-39894
Published: 2 July 2024
OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g., for su and Sudo) because of an ObscureKeystrokeTiming logic error. Similarly, other timing attacks against keystroke entry could occur.
Notes
| Author | Note |
|---|---|
| seth-arnold |
openssh-ssh1 is provided for compatibility with old devices that cannot be upgraded to modern protocols. Thus we may not provide security support for this package if doing so would prevent access to equipment. |
| mdeslaur |
This is a feature introduced in 9.5, previous versions don't have this feature at all. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
openssh
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
| focal |
Not vulnerable
(code not present)
|
|
| jammy |
Not vulnerable
(code not present)
|
|
| mantic |
Not vulnerable
(code not present)
|
|
| noble |
Released
(1:9.6p1-3ubuntu13.4)
|
|
| trusty |
Not vulnerable
(code not present)
|
|
| upstream |
Released
(9.8)
|
|
| xenial |
Not vulnerable
(code not present)
|
|
|
Patches:
upstream: https://github.com/openssh/openssh-portable/commit/146c420d29d055cc75c8606327a1cf8439fe3a08 |
||
|
openssh-ssh1
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
| focal |
Not vulnerable
(code not present)
|
|
| jammy |
Not vulnerable
(code not present)
|
|
| mantic |
Not vulnerable
(code not present)
|
|
| noble |
Not vulnerable
(code not present)
|
|
| upstream |
Ignored
(frozen on openssh 7.5p)
|
|