[Bug 2030275] Re: Include mitigation for CVE-2020-14145
Nishit Majithia
2030275 at bugs.launchpad.net
Wed Aug 9 06:58:23 UTC 2023
The package has been updated with the mitigation
https://ubuntu.com/security/notices/USN-6279-1
** Changed in: openssh (Ubuntu Trusty)
Status: In Progress => Fix Released
** Changed in: openssh (Ubuntu Xenial)
Status: In Progress => Fix Released
** Changed in: openssh (Ubuntu Bionic)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2030275
Title:
Include mitigation for CVE-2020-14145
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Trusty:
Fix Released
Status in openssh source package in Xenial:
Fix Released
Status in openssh source package in Bionic:
Fix Released
Status in openssh source package in Focal:
Fix Released
Bug description:
While there is no actual fix for CVE-2020-14145, as the upstream
OpenSSH developers have stated that there are no plans to change the
behaviour of OpenSSH to fix the issue, there does exist a commit that
does mitigate the issue in certain scenarios.
When the client has a host key that happens to match the first entry
in the preferred algorithms list, the mitigation will have the client
send the default algorithm ordering to the server.
See:
https://www.openwall.com/lists/oss-security/2020/12/02/1
https://anongit.mindrot.org/openssh.git/commit/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d
This was included in Ubuntu 22.04 LTS and higher, but has not been
included in 22.04 LTS and previous versions.
We should release an update with this mitigation included.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2030275/+subscriptions
More information about the foundations-bugs
mailing list