Wind River Support Network

HomeDefectsLIN7-6967
Fixed

LIN7-6967 : Security Advisory - openssh - CVE-2016-8858

Created: Nov 6, 2016    Updated: Sep 8, 2018
Resolved Date: Nov 10, 2016
Found In Version: 7.0.0.20
Fix Version: 7.0.0.22
Severity: Standard
Applicable for: Wind River Linux 7
Component/s: Userspace

Description

A memory exhaustion issue in OpenSSH that can be triggered before user authentication was found. An unauthenticated attacker could consume approx. 400 MB of memory per each connection. The attacker could set up multiple such connections to run out of server’s memory. 

Source: https://bugzilla.redhat.com/show_bug.cgi?id=1384860#c5

It is stated that "Affected versions: openssh-6.8p1, openssh-6.9p1, openssh-7.0p1, openssh-7.1p1, openssh-7.2p1, openssh-7.3p1. " but it could affect openssh 6.0 code from wrl5.

Upstream patch: https://github.com/openssh/openssh-portable/commit/ec165c392ca54317dbe3064a8c200de6531e89ad

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8858

Steps to Reproduce

-

Other Downloads

CVEs

Live chat
Online
  • Linkedin
  • Facebook
  • Twitter
  • Youtube