[Bug 2030275] Re: Include mitigation for CVE-2020-14145

Launchpad Bug Tracker 2030275 at bugs.launchpad.net
Wed Aug 9 06:10:18 UTC 2023 

This bug was fixed in the package openssh - 1:8.2p1-4ubuntu0.9

---------------
openssh (1:8.2p1-4ubuntu0.9) focal-security; urgency=medium

  * SECURITY UPDATE: information leak in algorithm negotiation (LP: #2030275)
    - debian/patches/CVE-2020-14145-mitigation.patch: tweak the client
      hostkey preference ordering algorithm in sshconnect2.c.
    - Note: This update does not solve CVE-2020-14145, but does mitigate
      the issue in the specific scenario where the user has a key that
      matches the best-preference default algorithm.

 -- Marc Deslauriers <marc.deslauriers at ubuntu.com>  Fri, 04 Aug 2023
18:02:08 -0400

** Changed in: openssh (Ubuntu Focal)
       Status: In Progress => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-14145

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2030275

Title:
  Include mitigation for CVE-2020-14145

Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Trusty:
  In Progress
Status in openssh source package in Xenial:
  In Progress
Status in openssh source package in Bionic:
  In Progress
Status in openssh source package in Focal:
  Fix Released

Bug description:
  While there is no actual fix for CVE-2020-14145, as the upstream
  OpenSSH developers have stated that there are no plans to change the
  behaviour of OpenSSH to fix the issue, there does exist a commit that
  does mitigate the issue in certain scenarios.

  When the client has a host key that happens to match the first entry
  in the preferred algorithms list, the mitigation will have the client
  send the default algorithm ordering to the server.

  See:

  https://www.openwall.com/lists/oss-security/2020/12/02/1
  https://anongit.mindrot.org/openssh.git/commit/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d

  This was included in Ubuntu 22.04 LTS and higher, but has not been
  included in 22.04 LTS and previous versions.

  We should release an update with this mitigation included.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2030275/+subscriptions

More information about the foundations-bugs mailing list