Bad bignum encoding for <email address hidden>

Bug #1313865 reported by James Cloos
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Triaged
High
Unassigned
Nominated for Trusty by Robie Basak

Bug Description

A patch for 6.6p1 was posted on the openssh list fixing a bug in the 25519 negotiation and changing the reported version to 6.6.1p1.

Future versions of openssh, version 6.6.1p1 itself, and other ssh software, such as libssh, will refuse to speak 25519 to anything which identifies itself as openssh 6.6p1or 6.5p1.

The patch was posted for the express purpose of providing an easy update for 6.6p1 to avoid this bug.

Debian has updated sid to 6.6.1p1, and that should copy over to jessie soon. You can see their git for the details.

Both utopic and trusty should get this update quickly. And in trusty itself, not just -updates or -backports; notwithstanding the edit to the reported version it is a bug fix for 6.6p1.

Any backports or updates repos which have 6.6p1 also should get the update to 6.6.1p1.

Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

> Debian has updated sid to 6.6.1p1, and that should copy over to jessie soon.

I only see 1:6.6p1-4, but this does include:

  * Apply upstream-recommended patch to fix bignum encoding for
    <email address hidden>, fixing occasional key exchange failures.

If this is the patch for which you filed this bug, then we should rename this bug accordingly, since as far as I can tell 6.6.1p1 hasn't been released yet, and this is confusing. It sounds like the patch itself can be cherry-picked to Trusty.

I see 1:6.6p1-4 in utopic-proposed, so the fix should hit Utopic soon.

I see a patch here, which we can cherry-pick to Trusty: http://sources.debian.net/src/openssh/1:6.6p1-4/debian/patches/curve25519-sha256-bignum-encoding.patch

summary: - Need to update 6.6p1 to 6.6.1p1
+ Bad bignum encoding for curve25519-sha256@libssh.org
Changed in openssh (Ubuntu):
status: New → Triaged
importance: Undecided → High
Revision history for this message
Robie Basak (racb) wrote :

Ah - and now I see the duplicate.

Revision history for this message
James Cloos (launchpad-jhcloos) wrote :

I missed the earlier report.

I went from memory on the package version number; ssh -V reports 6.6.1p1 but as you found dpkg says 1:6.6p1-4.

I hope that helps the case for getting it into trusty.

That is the correct patch from deb’s package.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.