oss-sec mailing list archives
Re: CVE Request - OpenSSH
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 07 Nov 2013 23:50:58 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/07/2013 09:02 PM, mancha wrote:
Hello Kurt, vendors, et al. OpenSSH has released an advisory[1] detailing a memory corruption vulnerability in the post-authentication sshd process when using an aes*-gcm () openssh com cipher. OpenSSH 6.4/6.4p1 were released to address the problem. Would you please allocate a CVE for this issue? Thanks. --mancha [1] http://www.openssh.com/txt/gcmrekey.adv
- From the advisory: If exploited, this vulnerability might permit code execution with the privileges of the authenticated user and may therefore allow bypassing restricted shell/command configurations. So based on that it sounds like a security issue. Please use CVE-2013-4548 for this issue. CC'ing Markus in case he already requested a CVE. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBAgAGBQJSfInSAAoJEBYNRVNeJnmTRlcQAKkAk98ZEoqbqZYo7QOyTfud miK44LqEBK2p4moyFdC6OlGQsiDQpz86ekge/f4STbiBuCOSedvUEGaC8sqBiP5u xOTXPIt0AtR0IIdg3jnVtK/YgHBLjp+dB1iFUjLd4N6KnQRqYyjLA4QkHlfKW4iv OI2qdeoHIk8OHYqcygudsq2o2FsyaH2WfNWqtPcT0Sc0LuLqKgjrX4KPrcHRw9ho QWkBWxsdUJW9CJYhk2ncs/NvScNSkWRPGBKITAjvBW8l+JYpW2CESGnuKLMEwLF5 V+DbmHbBzVkTws7C+ZFVvQZxCZhxbwTjN+v8q98oX/buKI+yCxJeM4oUG2qTFAA1 cqqarbFURhBQvj/qTUB/PVAtuOLhFH0APjV9ltfBB5glGHrPMNIxI+zknCwELMQd qWotcMZc1XadnE97bvLKytY/1yxh72v1gJmWWTCdGxY+gf0nBTvxi7wXYSGKFlzW Luk8mTfiD0p1fgxGAsSdbfFQ1S5Er+Uh+/5w9pwfo3qoeiuWGwTeTFM2sRMRosmh epH//OVrGxQmDHkVdDjt+wdhheWLn613koQo91w7csoRFjrtaI3yUIpAAXZ50ezN VH2pqciEoNid0ezI9OU+LgDXuOyo1g4BsQDNbirvrLs12iK8gxgaq+DUrsh182Cr KiEs8ppMg1MIEJieRzPe =b+P6 -----END PGP SIGNATURE-----
Current thread:
- CVE Request - OpenSSH mancha (Nov 07)
- Re: CVE Request - OpenSSH Kurt Seifried (Nov 07)