CVE-2019-16905

NameCVE-2019-16905
DescriptionOpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openssh (PTS)buster1:7.9p1-10+deb10u2vulnerable
buster (security)1:7.9p1-10+deb10u1vulnerable
bullseye1:8.4p1-5+deb11u1fixed
bookworm, sid1:9.2p1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
opensshsourcejessie(not affected)
opensshsourcestretch(not affected)
opensshsource(unstable)1:8.1p1-1unimportant

Notes

[stretch] - openssh <not-affected> (Vulnerable code introduced later)
[jessie] - openssh <not-affected> (Vulnerable code introduced later)
Issue in experimental (and not enabled) XMSS implementation; futhermore there
is not supported way to enable it when building openssh.
Search for package or bug name: Reporting problems