oss-security - Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Wed, 3 Jul 2024 11:26:54 +0000
From: Qualys Security Advisory <qsa@...lys.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux
 systems

Hi all,

Many people have asked us about an alleged proof of concept named
"7etsuo-regreSSHion.c": it is not a proof of concept, it is essentially
empty code (it might even be dangerous to compile and execute, we have
not checked). It is not just the shellcode that is missing, everything
else is missing too: the key-exchange code does nothing, the public-key
code does nothing useful, etc etc.

It looks great but it does nothing. A working proof of concept for this
vulnerability will be much longer and complex, and will take much more
time to write than this.

Thank you very much! With best regards,

-- 
the Qualys Security Advisory team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.