Damien Miller wrote on Mon, Jul 01, 2024 at 02:10:04AM -0600: > OpenSSH 9.8 has just been released. It will be available from the > mirrors listed at https://www.openssh.com/ shortly.
Thanks for all the work towards this release. Just a paperwork question as I couldn't find the information anywhere, was there any CVE assigned to the 2nd security issue? I'm asking because I tried updating the alpine package[1], and given the first issue is a slightly different problem on musl it probably needs a different label than CVE-2024-6387 ; I'm honestly still not quite sure how all this works after all these years but at the very least a search on cve.mitre.org[2] didn't turn up anything, so I assume redhat (who issued the first CVE) didn't process the second problem? (although to be fair the non-safety is still a problem on alpine, so that CVE might still apply, it's just no longer a free/malloc race with syslog but something that hasn't been studied as extensively... labeling is hard.) [1] https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/68482#note_417509 [2] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openssh Damien Miller wrote on Mon, Jul 01, 2024 at 02:10:04AM -0600: > 1) Race condition in sshd(8) Looking at other announces I assume CVE-2024-6387 is specific to this. > 2) Logic error in ssh(1) ObscureKeystrokeTiming I couldn't find anything on this one. Thanks, -- Dominique Martinet | Asmadeus
