Hi, On Sat, Nov 09, 2013 at 04:08:50PM +0100, Patrick Godschalk wrote: > Package: openssh-server > Version: 1:6.2p2-6~bpo7 > Severity: grave > Tags: patch, security, fixed-upstream > > The recent security advisory from OpenSSH upstream dated 2013-11-07 > mentions that "a memory corruption vulnerability exists in the > post-authentication sshd process when an AES-GCM cipher > (aes128-...@openssh.com or aes256-...@openssh.com) is selected during > kex exchange." > > "If exploited, this vulnerability might permit code execution with the > privileges of the authenticated user and may therefore allow bypassing > restricted shell/command configurations." > > This only applies to OpenSSH 6.2 and 6.3 built against OpenSSL > supporting AES-GCM. It has been fixed in upstream, OpenSSH 6.4. >
This seems to be the same as #729029? Cheers, GUO Yixuan -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org