oss-security - Re: Announce: OpenSSH 9.8 released

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date: Wed, 3 Jul 2024 13:20:22 +0200
From: Christian Fischer <christian.fischer@...enbone.net>
To: oss-security@...ts.openwall.com,
 Dominique Martinet <asmadeus@...ewreck.org>
Subject: Re: Announce: OpenSSH 9.8 released

Hi,

On 02.07.24 1:47 AM, Dominique Martinet wrote:
>> 2) Logic error in ssh(1) ObscureKeystrokeTiming
> 
> I couldn't find anything on this one.

it seems CVE-2024-39894 got assigned to this now:

 > OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks 
against echo-off password entry (e.g., for su and Sudo) because of an 
ObscureKeystrokeTiming logic error. Similarly, other timing attacks 
against keystroke entry could occur.
 >
 > https://www.cve.org/CVERecord?id=CVE-2024-39894

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone AG, Neumarkt 12, 49074 Osnabrück, Germany
https://www.greenbone.net/
Company registry: Amtsgericht Osnabrück, HRB 218768
Board of directors: Dr. Jan-Oliver Wagner (CEO), Elmar Geese
Chairman of the Supervisory Board: Lukas Grunwald

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.