[v2.5] openssh: remote skipping of SSHFP DNS RR checking (CVE-2014-2653)
The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate.
•MLIST:[oss-security] 20140326 CVE request: openssh client does not
check SSHFP if server offers certificate
•URL: http://openwall.com/lists/oss-security/2014/03/26/7
•CONFIRM: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513
•DEBIAN:DSA-2894
•URL: http://www.debian.org/security/2014/dsa-2894
•UBUNTU:USN-2164-1
•URL: http://www.ubuntu.com/usn/USN-2164-1
(from redmine: issue id 2858, created on 2014-04-18, closed on 2014-04-21)
- Relations:
- parent #2856 (closed)
- Changesets:
- Revision 981de7de by Timo Teräs on 2014-04-21T14:05:01Z:
main/openssh: security fix for CVE-2014-2653
fixes #2858
(cherry picked from commit 71bd4159f75887e3fa43dc15fb4f42a81feb0467)
Conflicts:
main/openssh/APKBUILD