Include mitigation for CVE-2020-14145
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Nishit Majithia | ||
Xenial |
Fix Released
|
Undecided
|
Nishit Majithia | ||
Bionic |
Fix Released
|
Undecided
|
Nishit Majithia | ||
Focal |
Fix Released
|
Undecided
|
Nishit Majithia |
Bug Description
While there is no actual fix for CVE-2020-14145, as the upstream OpenSSH developers have stated that there are no plans to change the behaviour of OpenSSH to fix the issue, there does exist a commit that does mitigate the issue in certain scenarios.
When the client has a host key that happens to match the first entry in the preferred algorithms list, the mitigation will have the client send the default algorithm ordering to the server.
See:
https:/
https:/
This was included in Ubuntu 22.04 LTS and higher, but has not been included in 22.04 LTS and previous versions.
We should release an update with this mitigation included.
CVE References
Changed in openssh (Ubuntu Trusty): | |
assignee: | nobody → Nishit Majithia (0xnishit) |
Changed in openssh (Ubuntu Xenial): | |
assignee: | nobody → Nishit Majithia (0xnishit) |
Changed in openssh (Ubuntu Bionic): | |
assignee: | nobody → Nishit Majithia (0xnishit) |
Changed in openssh (Ubuntu Focal): | |
assignee: | nobody → Nishit Majithia (0xnishit) |
Changed in openssh (Ubuntu Trusty): | |
status: | New → In Progress |
Changed in openssh (Ubuntu Xenial): | |
status: | New → In Progress |
Changed in openssh (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in openssh (Ubuntu Focal): | |
status: | New → In Progress |
This bug was fixed in the package openssh - 1:8.2p1-4ubuntu0.9
--------------- 4ubuntu0. 9) focal-security; urgency=medium
openssh (1:8.2p1-
* SECURITY UPDATE: information leak in algorithm negotiation (LP: #2030275) patches/ CVE-2020- 14145-mitigatio n.patch: tweak the client
- debian/
hostkey preference ordering algorithm in sshconnect2.c.
- Note: This update does not solve CVE-2020-14145, but does mitigate
the issue in the specific scenario where the user has a key that
matches the best-preference default algorithm.
-- Marc Deslauriers <email address hidden> Fri, 04 Aug 2023 18:02:08 -0400