openssh: Add fixes for CVEs reported for openssh
Applied patch for CVE-2020-14145 Link: https://anongit.mindrot.org/openssh.git/patch/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d Also, whitelisted below CVEs: 1.CVE-2020-15778: As per upstream, because of the way scp is based on a historical protocol called rcp which relies on that style of argument passing and therefore encounters expansion problems. Making changes to how the scp command line works breaks the pattern used by scp consumers. Upstream therefore recommends the use of rsync in the place of scp for better security. https://bugzilla.redhat.com/show_bug.cgi?id=1860487 2.CVE-2008-3844: It was reported in OpenSSH on Red Hat Enterprise Linux and certain packages may have been compromised. This CVE is not applicable as our source is OpenBSD. Links: https://securitytracker.com/id?1020730 https://www.securityfocus.com/bid/30794 Also, for CVE-2007-2768 no fix is available yet as it's unavoidable drawback of using one time passwords as per https://bugzilla.suse.com/show_bug.cgi?id=CVE-2007-2768 Also it is marked as unimportant on debian https://security-tracker.debian.org/tracker/CVE-2007-2768 Mailed to CPE to update database for CVE-2020-15778, CVE-2008-3844 and CVE-2007-2768. We can upstream CVE-2020-14145 till we recieve response from CPE. Signed-off-by:Sana Kazi <Sana.Kazi@kpit.com> Signed-off-by:
Loading
Please register or sign in to comment