You are here

CVE-2014-2653

Vincent (CVE) Danen's picture
It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record.

Details Source

Red Hat

Statement

The Red Hat Security Response Team has rated this issue as having Moderate security impact. This issue is not planned to be fixed in Red Hat Enterprise Linux 5 as it is now in Production 3 Phase of the support and maintenance life cycle, https://access.redhat.com/support/policy/updates/errata/

Public Date

2014-03-24 00:00:00

Impact

Moderate

Bugzilla

CVE-2014-2653 openssh: failure to check DNS SSHFP records in certain scenarios

Bugzilla ID

1 081 338

CVSS Status

verified

Base Score

4.30

Base Metrics

AV:N/AC:M/Au:N/C:N/I:P/A:N

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 7 (openssh) RHSA-2015:0425 2015-03-05
Red Hat Enterprise Linux 6 (openssh) RHSA-2014:1552 2014-10-13

CWE

CWE-592

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 5 openssh Will not fix