CVE-2014-2653

2014-03-2700:00:00

ubuntu.com

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

EPSS

0.006

Percentile

78.5%

JSON

The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6
and earlier allows remote servers to trigger the skipping of SSHFP DNS RR
checking by presenting an unacceptable HostCertificate.

Bugs

<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513>

Notes

Author	Note
mdeslaur	code is different in lucid, and doesn’t seem vulnerable

OSVersionArchitecturePackageVersionFilename
ubuntu12.04noarchopenssh< 1:5.9p1-5ubuntu1.3UNKNOWN
ubuntu12.10noarchopenssh< 1:6.0p1-3ubuntu1.2UNKNOWN
ubuntu13.10noarchopenssh< 1:6.2p2-6ubuntu0.3UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	12.04	noarch	openssh	< 1:5.9p1-5ubuntu1.3	UNKNOWN
ubuntu	12.10	noarch	openssh	< 1:6.0p1-3ubuntu1.2	UNKNOWN
ubuntu	13.10	noarch	openssh	< 1:6.2p2-6ubuntu0.3	UNKNOWN