Date: Wed, 01 Jul 2015 14:27:04 +0200 From: Andreas Stieger <astieger@...e.de> To: cve-assign@...re.org CC: oss-security@...ts.openwall.com Subject: CVE Request: two security issues in openSSH 6.9 Hi, The openSSH 6.9 release contains the following changes declared as security issues: http://www.openssh.com/txt/release-6.9 > Security > -------- > > * ssh(1): when forwarding X11 connections with ForwardX11Trusted=no, > connections made after ForwardX11Timeout expired could be permitted > and no longer subject to XSECURITY restrictions because of an > ineffective timeout check in ssh(1) coupled with "fail open" > behaviour in the X11 server when clients attempted connections with > expired credentials. This problem was reported by Jann Horn. In the portable releases, this is https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&id=1bf477d3cdf1a864646d59820878783d42357a1d > * ssh-agent(1): fix weakness of agent locking (ssh-add -x) to > password guessing by implementing an increasing failure delay, > storing a salted hash of the password rather than the password > itself and using a timing-safe comparison function for verifying > unlock attempts. This problem was reported by Ryan Castellucci. In the portable releases, this is https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&id=9173d0fbe44de7ebcad8a15618e13a8b8d78902e Could CVE-IDs be assigned for these please? Andreas -- Andreas Stieger <astieger@...e.de> Project Manager Security SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg) [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ