mirror of
https://git.busybox.net/buildroot.git
synced 2024-12-11 14:23:52 +08:00
12916827e0
Security ======== * sshd(8): OpenSSH 8.5 introduced the LogVerbose keyword. When this option was enabled with a set of patterns that activated logging in code that runs in the low-privilege sandboxed sshd process, the log messages were constructed in such a way that printf(3) format strings could effectively be specified the low-privilege code. An attacker who had sucessfully exploited the low-privilege process could use this to escape OpenSSH's sandboxing and attack the high-privilege process. Exploitation of this weakness is highly unlikely in practice as the LogVerbose option is not enabled by default and is typically only used for debugging. No vulnerabilities in the low-privilege process are currently known to exist. https://www.openssh.com/txt/release-8.6 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> |
||
---|---|---|
.. | ||
Config.in | ||
openssh.hash | ||
openssh.mk | ||
S50sshd | ||
sshd-sysusers.conf | ||
sshd.service |