Bugzilla – Bug 1227318
VUL-0: CVE-2024-39894: openssh: timing attacks against echo-off password entry
Last modified: 2024-07-17 16:30:06 UTC
OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g., for su and Sudo) because of an ObscureKeystrokeTiming logic error. Similarly, other timing attacks against keystroke entry could occur. References: https://lists.mindrot.org/pipermail/openssh-unix-announce/2024-July/000158.html https://www.openssh.com/txt/release-9.8 http://www.openwall.com/lists/oss-security/2024/07/02/1 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-39894 https://www.cve.org/CVERecord?id=CVE-2024-39894
Only Factory needs to be updated.
I submitted: https://build.opensuse.org/request/show/1185823 to Factory https://build.suse.de/request/show/337750 to SLE-15-SP6 https://build.suse.de/request/show/337749 to ALP to fix this (and a couple of other issues that I found while reviewing upstream changes).
SUSE-SU-2024:2393-1: An update that solves two vulnerabilities and has three security fixes can now be installed. Category: security (moderate) Bug References: 1218215, 1224392, 1225904, 1227318, 1227350 CVE References: CVE-2023-51385, CVE-2024-39894 Maintenance Incident: [SUSE:Maintenance:34681](https://smelt.suse.de/incident/34681/) Sources used: openSUSE Leap 15.6 (src): openssh-askpass-gnome-9.6p1-150600.6.6.1, openssh-9.6p1-150600.6.6.1 Basesystem Module 15-SP6 (src): openssh-9.6p1-150600.6.6.1 Desktop Applications Module 15-SP6 (src): openssh-askpass-gnome-9.6p1-150600.6.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.