Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

oracle-oval логотип

ELSA-2024-3166

Опубликовано: 23 мая 2024
Источник: oracle-oval
Платформа: Oracle Linux 8

Описание

ELSA-2024-3166: openssh security update (MODERATE)

[8.0p1-24.0.1]

  • Update upstream references [Orabug: 36587718]

[8.0p1-24]

  • Providing a kill switch for scp to deal with CVE-2020-15778 Resolves: RHEL-22870

[8.0p1-23]

  • Fix Terrapin attack Resolves: RHEL-19308

[8.0p1-22]

  • Fix Terrapin attack Resolves: RHEL-19308
  • Forbid shell metasymbols in username/hostname Resolves: RHEL-19788

[8.0p1-21]

  • Using DigestSign/DigestVerify functions for better FIPS compatibility Resolves: RHEL-5217

[8.0p1-20]

  • Limit artificial delays in sshd while login using AD user Resolves: RHEL-1684
  • Add comment to OpenSSH server config about FIPS-incompatible key Resolves: RHEL-5221
  • Avoid killing all processes on system in case of race condition Resolves: RHEL-11548
  • Avoid sshd_config 256K limit Resolves: RHEL-5279
  • Using DigestSign/DigestVerify functions for better FIPS compatibility Resolves: RHEL-5217
  • Fix GSS KEX causing ssh failures when connecting to WinSSHD Resolves: RHEL-5321

Обновленные пакеты

Oracle Linux 8

Oracle Linux aarch64

openssh

8.0p1-24.0.1.el8

openssh-askpass

8.0p1-24.0.1.el8

openssh-cavs

8.0p1-24.0.1.el8

openssh-clients

8.0p1-24.0.1.el8

openssh-keycat

8.0p1-24.0.1.el8

openssh-ldap

8.0p1-24.0.1.el8

openssh-server

8.0p1-24.0.1.el8

pam_ssh_agent_auth

0.10.3-7.24.0.1.el8

Oracle Linux x86_64

openssh

8.0p1-24.0.1.el8

openssh-askpass

8.0p1-24.0.1.el8

openssh-cavs

8.0p1-24.0.1.el8

openssh-clients

8.0p1-24.0.1.el8

openssh-keycat

8.0p1-24.0.1.el8

openssh-ldap

8.0p1-24.0.1.el8

openssh-server

8.0p1-24.0.1.el8

pam_ssh_agent_auth

0.10.3-7.24.0.1.el8

Связанные CVE

CVE-2020-15778

Ссылки на источники

Связанные уязвимости

ubuntu логотип

CVE-2020-15778

CVSS3: 7.8
ubuntu
почти 5 лет назад

** DISPUTED ** scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."

redhat логотип

CVE-2020-15778

CVSS3: 7.8
redhat
почти 5 лет назад

scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."

nvd логотип

CVE-2020-15778

CVSS3: 7.8
nvd
почти 5 лет назад

scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."

msrc логотип

CVE-2020-15778

CVSS3: 7.8
msrc
почти 5 лет назад

Описание отсутствует

debian логотип

CVE-2020-15778

CVSS3: 7.8
debian
почти 5 лет назад

scp in OpenSSH through 8.3p1 allows command injection in the scp.c tor ...