On Fri, Nov 13, 2020 at 5:34 AM Anuj Mittal <[email protected]> wrote: > > Hi Steve, > > On Fri, 2020-11-13 at 04:52 -1000, Steve Sakoman wrote: > > From: Alexander Kanavin <[email protected]> > > > > CVE-2020-14145 > > > > The client side in OpenSSH 5.7 through 8.3 has an Observable > > Discrepancy leading to an information leak in the algorithm > > negotiation. This allows man-in-the-middle attackers to target > > initial connection attempts (where no host key for the server > > has been cached by the client). > > I am not sure if this CVE should be considered fixed. Please see > Section 3.1: > > https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf
I hadn't seen this. I'll drop the version upgrade from the pull request. Hopefully someone can submit a patch set that does fix these issues. Steve > Also, this isn't a bug fix release and has potentially incompatible > changes that may affect existing configurations as per the release > notes: > > https://www.openssh.com/txt/release-8.4 > > Thanks, > > Anuj > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#144571): https://lists.openembedded.org/g/openembedded-core/message/144571 Mute This Topic: https://lists.openembedded.org/mt/78230616/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
