[Bug 2030275] [NEW] Include mitigation for CVE-2020-14145

Marc Deslauriers 2030275 at bugs.launchpad.net
Sat Aug 5 13:22:18 UTC 2023 

*** This bug is a security vulnerability ***

Public security bug reported:

While there is no actual fix for CVE-2020-14145, as the upstream OpenSSH
developers have stated that there are no plans to change the behaviour
of OpenSSH to fix the issue, there does exist a commit that does
mitigate the issue in certain scenarios.

When the client has a host key that happens to match the first entry in
the preferred algorithms list, the mitigation will have the client send
the default algorithm ordering to the server.

See:

https://www.openwall.com/lists/oss-security/2020/12/02/1
https://anongit.mindrot.org/openssh.git/commit/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d

This was included in Ubuntu 22.04 LTS and higher, but has not been
included in 22.04 LTS and previous versions.

We should release an update with this mitigation included.

** Affects: openssh (Ubuntu)
     Importance: Undecided
         Status: Fix Released

** Affects: openssh (Ubuntu Trusty)
     Importance: Undecided
         Status: New

** Affects: openssh (Ubuntu Xenial)
     Importance: Undecided
         Status: New

** Affects: openssh (Ubuntu Bionic)
     Importance: Undecided
         Status: New

** Affects: openssh (Ubuntu Focal)
     Importance: Undecided
         Status: New

** Also affects: openssh (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Also affects: openssh (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: openssh (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: openssh (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Changed in: openssh (Ubuntu)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2030275

Title:
  Include mitigation for CVE-2020-14145

Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Trusty:
  New
Status in openssh source package in Xenial:
  New
Status in openssh source package in Bionic:
  New
Status in openssh source package in Focal:
  New

Bug description:
  While there is no actual fix for CVE-2020-14145, as the upstream
  OpenSSH developers have stated that there are no plans to change the
  behaviour of OpenSSH to fix the issue, there does exist a commit that
  does mitigate the issue in certain scenarios.

  When the client has a host key that happens to match the first entry
  in the preferred algorithms list, the mitigation will have the client
  send the default algorithm ordering to the server.

  See:

  https://www.openwall.com/lists/oss-security/2020/12/02/1
  https://anongit.mindrot.org/openssh.git/commit/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d

  This was included in Ubuntu 22.04 LTS and higher, but has not been
  included in 22.04 LTS and previous versions.

  We should release an update with this mitigation included.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2030275/+subscriptions

More information about the foundations-bugs mailing list