OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be triggered by an unauthenticated attacker in the default configuration; however, the vulnerability discoverer reports that "exploiting this vulnerability will not be easy." https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/017_sshd.patch.sig https://bugzilla.mindrot.org/show_bug.cgi?id=3522 https://github.com/openssh/openssh-portable/commit/486c4dc3b83b4b67d663fb0fa62bc24138ec3946 https://www.openwall.com/lists/oss-security/2023/02/02/2
https://github.com/openssh/openssh-portable/pull/324
We don't have 9.1 neither in RHEL nor in Fedora so it's hardly relevant for us
(In reply to Dmitry Belyavskiy from comment #2) > We don't have 9.1 neither in RHEL nor in Fedora so it's hardly relevant for > us Yes, All our Products are already marked as Not Affected and the CVE Page entry updated as well.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-25136
Roy, could you please check whether it's just a self-DoS or it can be exploited via https://seclists.org/oss-sec/2023/q1/92 or smth similar?
If it is a self-DoS, why does the presence of public exploit matter?
*** Bug 2166785 has been marked as a duplicate of this bug. ***
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2645 https://access.redhat.com/errata/RHSA-2023:2645