OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g., for su and Sudo) because of an ObscureKeystrokeTiming logic error. Similarly, other timing attacks against keystroke entry could occur.
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "1:9.6p1-3ubuntu13.4", "binary_name": "openssh-client" }, { "binary_version": "1:9.6p1-3ubuntu13.4", "binary_name": "openssh-client-dbgsym" }, { "binary_version": "1:9.6p1-3ubuntu13.4", "binary_name": "openssh-server" }, { "binary_version": "1:9.6p1-3ubuntu13.4", "binary_name": "openssh-server-dbgsym" }, { "binary_version": "1:9.6p1-3ubuntu13.4", "binary_name": "openssh-sftp-server" }, { "binary_version": "1:9.6p1-3ubuntu13.4", "binary_name": "openssh-sftp-server-dbgsym" }, { "binary_version": "1:9.6p1-3ubuntu13.4", "binary_name": "openssh-tests" }, { "binary_version": "1:9.6p1-3ubuntu13.4", "binary_name": "openssh-tests-dbgsym" }, { "binary_version": "1:9.6p1-3ubuntu13.4", "binary_name": "ssh" }, { "binary_version": "1:9.6p1-3ubuntu13.4", "binary_name": "ssh-askpass-gnome" }, { "binary_version": "1:9.6p1-3ubuntu13.4", "binary_name": "ssh-askpass-gnome-dbgsym" } ] }