[Bug 2030275] Re: Include mitigation for CVE-2020-14145

Marc Deslauriers 2030275 at bugs.launchpad.net
Mon Aug 7 11:56:05 UTC 2023 

** Changed in: openssh (Ubuntu Trusty)
     Assignee: (unassigned) => Nishit Majithia (0xnishit)

** Changed in: openssh (Ubuntu Xenial)
     Assignee: (unassigned) => Nishit Majithia (0xnishit)

** Changed in: openssh (Ubuntu Bionic)
     Assignee: (unassigned) => Nishit Majithia (0xnishit)

** Changed in: openssh (Ubuntu Focal)
     Assignee: (unassigned) => Nishit Majithia (0xnishit)

** Changed in: openssh (Ubuntu Trusty)
       Status: New => In Progress

** Changed in: openssh (Ubuntu Xenial)
       Status: New => In Progress

** Changed in: openssh (Ubuntu Bionic)
       Status: New => In Progress

** Changed in: openssh (Ubuntu Focal)
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2030275

Title:
  Include mitigation for CVE-2020-14145

Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Trusty:
  In Progress
Status in openssh source package in Xenial:
  In Progress
Status in openssh source package in Bionic:
  In Progress
Status in openssh source package in Focal:
  In Progress

Bug description:
  While there is no actual fix for CVE-2020-14145, as the upstream
  OpenSSH developers have stated that there are no plans to change the
  behaviour of OpenSSH to fix the issue, there does exist a commit that
  does mitigate the issue in certain scenarios.

  When the client has a host key that happens to match the first entry
  in the preferred algorithms list, the mitigation will have the client
  send the default algorithm ordering to the server.

  See:

  https://www.openwall.com/lists/oss-security/2020/12/02/1
  https://anongit.mindrot.org/openssh.git/commit/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d

  This was included in Ubuntu 22.04 LTS and higher, but has not been
  included in 22.04 LTS and previous versions.

  We should release an update with this mitigation included.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2030275/+subscriptions

More information about the foundations-bugs mailing list