K31781390 : January 2019 OpenSSH security vulnerabilities

Security Advisory Description

In January 2019, a security researcher announced the discovery of the following OpenSSH SCP client vulnerabilities:

• CVE-2018-20685 (OpenSSH): Improper check in scp.c:sink() allows malicious servers to bypass access restrictions in scp client
• CVE-2019-6109 (OpenSSH): Missing character encoding in progress display allows for spoofing of scp client output
• CVE-2019-6110 (OpenSSH): Acceptance and display of arbitrary stderr allows for spoofing of scp client output
• CVE-2019-6111 (OpenSSH): Improper validation of object names allows malicious server to overwrite files via scp client

For the complete announcement from the independent security researcher, refer to the following link:

Note: The following link takes you to a resource outside of AskF5. The third party could remove the document without our knowledge.

<https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt&gt;

To locate relevant articles for the previously listed vulnerabilities, refer to the following table. If the Article column is blank, then no article has yet been published. F5 Technical Support has no additional information on these issues.

Note: This is a temporary index. When articles have been published for all of the CVEs listed in the previous table, this article may no longer be maintained, may be repurposed, or may be archived without advanced notice.