Bug 1226642 (CVE-2024-6387) - VUL-0: CVE-2024-6387: openssh: regression of CVE-2006-5051
Summary: VUL-0: CVE-2024-6387: openssh: regression of CVE-2006-5051
Status: IN_PROGRESS
: 1226641 (view as bug list)
Alias: CVE-2024-6387
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P1 - Urgent : Critical
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/411621/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-06-20 14:49 UTC by Alexander Bergmann
Modified: 2024-07-17 16:30 UTC (History)
11 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Marcus Meissner 2024-06-20 14:50:38 UTC 
*** Bug 1226641 has been marked as a duplicate of this bug. ***
Comment 6 Marcus Meissner 2024-07-01 07:12:13 UTC 
CRD: 2024-07-01 8:00UTC
Comment 7 Antonio Larrosa 2024-07-01 08:03:14 UTC 
I've tried backporting the large fix but it needs many changes (also in other patches since it really touches many things) so, since the CVE will be released so soon, I've submitted the quick fix to SLE15 SP6 (in https://build.suse.de/request/show/336976) . I will now prepare also the quick fix to SLE15 SP3 and will continue working on the larger fix later.
Comment 8 Marcus Meissner 2024-07-01 08:19:09 UTC 
is public

https://www.openwall.com/lists/oss-security/2024/07/01/1
Comment 9 Antonio Larrosa 2024-07-01 08:36:39 UTC 
FTR, SLE-15 SP3 has openssh 8.4 which I checked is not affected by this since the signal handler doesn't do any logging in that version (it's defined out)
Comment 12 Maintenance Automation 2024-07-02 16:30:12 UTC 
SUSE-SU-2024:2275-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1226642
CVE References: CVE-2024-6387
Maintenance Incident: [SUSE:Maintenance:34525](https://smelt.suse.de/incident/34525/)
Sources used:
openSUSE Leap 15.6 (src):
 openssh-askpass-gnome-9.6p1-150600.6.3.1, openssh-9.6p1-150600.6.3.1
Basesystem Module 15-SP6 (src):
 openssh-9.6p1-150600.6.3.1
Desktop Applications Module 15-SP6 (src):
 openssh-askpass-gnome-9.6p1-150600.6.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2024-07-04 08:30:08 UTC 
SUSE-SU-2024:2275-2: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1226642
CVE References: CVE-2024-6387
Maintenance Incident: [SUSE:Maintenance:34525](https://smelt.suse.de/incident/34525/)
Sources used:
openSUSE Leap 15.6 (src):
 openssh-9.6p1-150600.6.3.1, openssh-askpass-gnome-9.6p1-150600.6.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.