Bug 1226642 (CVE-2024-6387)

Summary: VUL-0: CVE-2024-6387: openssh: regression of CVE-2006-5051
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P1 - Urgent CC: abergmann, alarrosa, andreas.taschner, camila.matos, kim.frederiksen, meissner, radovan.varga, rfrohl, sreeves, sven.herbers-lee, werwolf131313
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/411621/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 2 Marcus Meissner 2024-06-20 14:50:38 UTC 
*** Bug 1226641 has been marked as a duplicate of this bug. ***
Comment 6 Marcus Meissner 2024-07-01 07:12:13 UTC 
CRD: 2024-07-01 8:00UTC
Comment 7 Antonio Larrosa 2024-07-01 08:03:14 UTC 
I've tried backporting the large fix but it needs many changes (also in other patches since it really touches many things) so, since the CVE will be released so soon, I've submitted the quick fix to SLE15 SP6 (in https://build.suse.de/request/show/336976) . I will now prepare also the quick fix to SLE15 SP3 and will continue working on the larger fix later.
Comment 8 Marcus Meissner 2024-07-01 08:19:09 UTC 
is public

https://www.openwall.com/lists/oss-security/2024/07/01/1
Comment 9 Antonio Larrosa 2024-07-01 08:36:39 UTC 
FTR, SLE-15 SP3 has openssh 8.4 which I checked is not affected by this since the signal handler doesn't do any logging in that version (it's defined out)
Comment 12 Maintenance Automation 2024-07-02 16:30:12 UTC 
SUSE-SU-2024:2275-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1226642
CVE References: CVE-2024-6387
Maintenance Incident: [SUSE:Maintenance:34525](https://smelt.suse.de/incident/34525/)
Sources used:
openSUSE Leap 15.6 (src):
 openssh-askpass-gnome-9.6p1-150600.6.3.1, openssh-9.6p1-150600.6.3.1
Basesystem Module 15-SP6 (src):
 openssh-9.6p1-150600.6.3.1
Desktop Applications Module 15-SP6 (src):
 openssh-askpass-gnome-9.6p1-150600.6.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2024-07-04 08:30:08 UTC 
SUSE-SU-2024:2275-2: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1226642
CVE References: CVE-2024-6387
Maintenance Incident: [SUSE:Maintenance:34525](https://smelt.suse.de/incident/34525/)
Sources used:
openSUSE Leap 15.6 (src):
 openssh-9.6p1-150600.6.3.1, openssh-askpass-gnome-9.6p1-150600.6.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.