[Buildroot] [PATCH 1/1] package/openssh: security bump to version 8.6p1
Peter Korsgaard
peter at korsgaard.com
Mon May 17 21:32:22 UTC 2021
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice at gmail.com> writes:
> Security
> ========
> * sshd(8): OpenSSH 8.5 introduced the LogVerbose keyword. When this
> option was enabled with a set of patterns that activated logging
> in code that runs in the low-privilege sandboxed sshd process, the
> log messages were constructed in such a way that printf(3) format
> strings could effectively be specified the low-privilege code.
> An attacker who had sucessfully exploited the low-privilege
> process could use this to escape OpenSSH's sandboxing and attack
> the high-privilege process. Exploitation of this weakness is
> highly unlikely in practice as the LogVerbose option is not
> enabled by default and is typically only used for debugging. No
> vulnerabilities in the low-privilege process are currently known
> to exist.
> https://www.openssh.com/txt/release-8.6
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
Committed to 2021.02.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list