CVE-2014-2653
Priority
Medium
Description
The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6
and earlier allows remote servers to trigger the skipping of SSHFP DNS RR
checking by presenting an unacceptable HostCertificate.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2653
http://openwall.com/lists/oss-security/2014/03/26/7
https://usn.ubuntu.com/usn/usn-2164-1
Bugs
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513
Notes
mdeslaur> code is different in lucid, and doesn't seem vulnerable
Assigned-to
mdeslaur
Package
Source:
openssh
(
LP
Ubuntu
Debian
)
Upstream:
needs-triage
Ubuntu 14.04 LTS (Trusty Tahr)
:
released
(1:6.6p1-1)
Patches:
Vendor:
http://anonscm.debian.org/gitweb/?p=pkg-ssh/openssh.git;a=commit;h=63d5fa28e16d96db6bac2dbe3fcecb65328f8966
Upstream:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshconnect.c.diff?r1=1.246;r2=1.247
More Information
Mitre
NVD
Launchpad
Debian
Updated
: 2017-12-15 20:33:30 UTC (commit
13913
)