CVE-2014-9278

NameCVE-2014-9278
DescriptionThe OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environment, allows remote authenticated users to log in as another user when they are listed in the .k5users file of that user, which might bypass intended authentication requirements that would force a local login.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openssh (PTS)jessie1:6.7p1-5+deb8u4fixed
jessie (security)1:6.7p1-5+deb8u8fixed
stretch1:7.4p1-10+deb9u7fixed
stretch (security)1:7.4p1-10+deb9u6fixed
buster1:7.9p1-10+deb10u2fixed
buster (security)1:7.9p1-10+deb10u1fixed
bullseye1:8.1p1-5fixed
sid1:8.2p1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
opensshsource(unstable)(not affected)

Notes

- openssh <not-affected> (patch not applied to Debian)
https://bugzilla.redhat.com/show_bug.cgi?id=1169843
Patch https://bugzilla.mindrot.org/show_bug.cgi?id=1867 from not applied in Debian

Search for package or bug name: Reporting problems