CVE-2014-9278

NameCVE-2014-9278
DescriptionThe OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environment, allows remote authenticated users to log in as another user when they are listed in the .k5users file of that user, which might bypass intended authentication requirements that would force a local login.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openssh (PTS)jessie1:6.7p1-5+deb8u4fixed
jessie (security)1:6.7p1-5+deb8u8fixed
stretch1:7.4p1-10+deb9u7fixed
stretch (security)1:7.4p1-10+deb9u6fixed
buster1:7.9p1-10fixed
bullseye, sid1:8.0p1-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
opensshsource(unstable)(not affected)

Notes

- openssh <not-affected> (patch not applied to Debian)
https://bugzilla.redhat.com/show_bug.cgi?id=1169843
Patch https://bugzilla.mindrot.org/show_bug.cgi?id=1867 from not applied in Debian

Search for package or bug name: Reporting problems