Advisories ยป MGASA-2014-0166

Updated openssh packages fix CVE-2014-2653

Publication date: 08 Apr 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-2653

Description

Updated openssh packages fix security vulnerability:

Matthew Vernon reported that if a SSH server offers a HostCertificate that
the ssh client doesn't accept, then the client doesn't check the DNS for
SSHFP records. As a consequence a malicious server can disable SSHFP-checking
by presenting a certificate (CVE-2014-2653).
                

References

SRPMS

3/core

4/core