Overview

File _patchinfo of Package patchinfo.34681

<patchinfo incident="34681">
  <issue tracker="bnc" id="1225904">Package openssh does not build with gcc14 because of new errors</issue>
  <issue tracker="bnc" id="1227350">the installed openssh-server-config-rootlogin-9.6p1-150600.2.7.x86_64 requires 'openssh-server = 9.6p1-150600.2.7', but this requirement cannot be provided</issue>
  <issue tracker="bnc" id="1218215">VUL-0: CVE-2023-51385: openssh: command injection via user name or host name metacharacters</issue>
  <issue tracker="bnc" id="1227318">VUL-0: CVE-2024-39894: openssh: timing attacks against echo-off password entry</issue>
  <issue tracker="bnc" id="1224392">zypper dup installs openssh-server-config-rootlogin which allows ssh login with password</issue>
  <issue tracker="cve" id="2024-39894"/>
  <issue tracker="cve" id="2023-51385"/>
  <packager>alarrosa</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for openssh</summary>
  <description>This update for openssh fixes the following issues:

Security fixes:

- CVE-2024-39894: Fixed timing attacks against echo-off password entry (bsc#1227318).

Other fixes:
- Add obsoletes for openssh-server-config-rootlogin (bsc#1227350).
- Add #include &lt;stdlib.h&gt; in some files added by the ldap patch to
  fix build with gcc14 (bsc#1225904).
- Remove the recommendation for openssh-server-config-rootlogin
  from openssh-server (bsc#1224392).
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places