Skip to content

main/openssh: security upgrade to 9.8_p1

Dominique Martinet requested to merge martinetd/aports:ssh into master

security fix for CVE-2024-6387

Details can be found in the Qualys advisory at https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt

The Qualys Threat Research Unit (TRU) discovered that OpenSSH, an
implementation of the SSH protocol suite, is prone to a signal handler
race condition. If a client does not authenticate within LoginGraceTime
seconds (120 by default), then sshd's SIGALRM handler is called
asynchronously and calls various functions that are not
async-signal-safe. A remote unauthenticated attacker can take advantage
of this flaw to execute arbitrary code with root privileges. This flaw
affects sshd in its default configuration.

Merge request reports

Loading