Fix for CVE-2014-1692 , CVE-2014-2532

Ángel González keisial at gmail.com
Wed Mar 18 08:55:14 AEDT 2015


On 17/03/15 15:52, abhi dhiman wrote:
> Hi All,
>
> Actually I am working with the OpenSSH version 6.2p which is vulnerable to
> above mentioned vulnerabilities.
>
> So am looking for some help how I can fix these vulnerabilities in my
> version. I need to fix it in the OpenSSH code.
>
> Regards
> Abhishek
Unless you specifically enabled the experimental JPAKE support in 
openssh (eg. by adding

-DJPAKE in Makefile.inc) you are not affected by CVE-2014-1692.

In order to avoid CVE-2014-2532, you can apply this change:
https://anongit.mindrot.org/openssh.git/commit/?id=8569eba5d7f7348ce3955eeeb399f66f25c52ece

Regards




More information about the openssh-unix-dev mailing list