Mailing List Archive

Where to find OpenSSH patch for CVE-2020-14145
Hello,

We are currently trying to apply a patch to our 8.0p1 version of OpenSSH for CVE-2020-14145<https://nvd.nist.gov/vuln/detail/CVE-2020-14145>. The "patch" tag from NIST's web page links to the 8.3p1 vs 8.4p1 comparison<https://github.com/openssh/openssh-portable/compare/V_8_3_P1...V_8_4_P1> on GitHub. Is there, however, any one specific patch, which could be backported to our version or is updating to 8.4p1 the only solution for this CVE? Thank you in advance for your help!

All the best,
Pawel
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Where to find OpenSSH patch for CVE-2020-14145 [ In reply to ]
On 10/30/20 4:51 PM, Pawel Winogrodzki wrote:
> Hello,
>
> We are currently trying to apply a patch to our 8.0p1 version of OpenSSH for CVE-2020-14145<https://nvd.nist.gov/vuln/detail/CVE-2020-14145>. The "patch" tag from NIST's web page links to the 8.3p1 vs 8.4p1 comparison<https://github.com/openssh/openssh-portable/compare/V_8_3_P1...V_8_4_P1> on GitHub. Is there, however, any one specific patch, which could be backported to our version or is updating to 8.4p1 the only solution for this CVE? Thank you in advance for your help!

There is no patch for that CVE (not even in openssh-8.4p1). It is by
most considered as a usability feature rather than CVE.

Regards,
--
Jakub Jelen
Senior Software Engineer
Crypto Team, Security Engineering
Red Hat, Inc.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
RE: [EXTERNAL] Re: Where to find OpenSSH patch for CVE-2020-14145 [ In reply to ]
Thank you the clarification, Jakub!

I've found now a mention that this is a won't fix on fzi.de (https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-2-ausnutzung-eines-informationslecks-fuer-gezielte-mitm-angriffe-auf-ssh-clients/). I'll contact NIST to update their database. Could you point me to any other discussions where it's mentioned that this CVE won't be fixed so their links can provide more insight and clarification?

Thanks,
Pawel

-----Original Message-----
From: openssh-unix-dev <openssh-unix-dev-bounces+pawelwi=microsoft.com@mindrot.org> On Behalf Of Jakub Jelen
Sent: Friday, October 30, 2020 9:07 AM
To: openssh-unix-dev@mindrot.org
Subject: [EXTERNAL] Re: Where to find OpenSSH patch for CVE-2020-14145

On 10/30/20 4:51 PM, Pawel Winogrodzki wrote:
> Hello,
>
> We are currently trying to apply a patch to our 8.0p1 version of OpenSSH for CVE-2020-14145<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2020-14145&amp;data=04%7C01%7Cpawelwi%40microsoft.com%7Cd951b4df814e43e1fd2908d87cee8db8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637396711320001389%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=M%2BJH%2FxCDgU%2BUSDLrfU2z%2BHo5ijYgayj3uNHtsUFbaO4%3D&amp;reserved=0>. The "patch" tag from NIST's web page links to the 8.3p1 vs 8.4p1 comparison<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenssh%2Fopenssh-portable%2Fcompare%2FV_8_3_P1...V_8_4_P1&amp;data=04%7C01%7Cpawelwi%40microsoft.com%7Cd951b4df814e43e1fd2908d87cee8db8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637396711320001389%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sda!
ta=JhpxDcGoaQgUZZDd%2Ff65xRRyQnYWJSPKY%2F5VOAyPRME%3D&amp;reserved=0> on GitHub. Is there, however, any one specific patch, which could be backported to our version or is updating to 8.4p1 the only solution for this CVE? Thank you in advance for your help!

There is no patch for that CVE (not even in openssh-8.4p1). It is by most considered as a usability feature rather than CVE.

Regards,
--
Jakub Jelen
Senior Software Engineer
Crypto Team, Security Engineering
Red Hat, Inc.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.mindrot.org%2Fmailman%2Flistinfo%2Fopenssh-unix-dev&amp;data=04%7C01%7Cpawelwi%40microsoft.com%7Cd951b4df814e43e1fd2908d87cee8db8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637396711320001389%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=ps6n8ApIu8nPL8QyceasAUHPFFrJjRik37vZlf%2FzHvk%3D&amp;reserved=0
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev