oss-sec mailing list archives
Re: Announce: OpenSSH 9.8 released
From: Dominique Martinet <asmadeus () codewreck org>
Date: Tue, 2 Jul 2024 08:47:22 +0900
Damien Miller wrote on Mon, Jul 01, 2024 at 02:10:04AM -0600:
OpenSSH 9.8 has just been released. It will be available from the mirrors listed at https://www.openssh.com/ shortly.
Thanks for all the work towards this release. Just a paperwork question as I couldn't find the information anywhere, was there any CVE assigned to the 2nd security issue? I'm asking because I tried updating the alpine package[1], and given the first issue is a slightly different problem on musl it probably needs a different label than CVE-2024-6387 ; I'm honestly still not quite sure how all this works after all these years but at the very least a search on cve.mitre.org[2] didn't turn up anything, so I assume redhat (who issued the first CVE) didn't process the second problem? (although to be fair the non-safety is still a problem on alpine, so that CVE might still apply, it's just no longer a free/malloc race with syslog but something that hasn't been studied as extensively... labeling is hard.) [1] https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/68482#note_417509 [2] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openssh Damien Miller wrote on Mon, Jul 01, 2024 at 02:10:04AM -0600:
1) Race condition in sshd(8)
Looking at other announces I assume CVE-2024-6387 is specific to this.
2) Logic error in ssh(1) ObscureKeystrokeTiming
I couldn't find anything on this one. Thanks, -- Dominique Martinet | Asmadeus
Current thread:
- Announce: OpenSSH 9.8 released Damien Miller (Jul 01)
- Re: Announce: OpenSSH 9.8 released Dominique Martinet (Jul 02)
- Re: Announce: OpenSSH 9.8 released Christian Fischer (Jul 03)
- Re: Announce: OpenSSH 9.8 released Solar Designer (Jul 28)
- Re: Announce: OpenSSH 9.8 released Dominique Martinet (Jul 02)