Fluid Attacks Database

Description

The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	openssh	>=0 <1:6.6p1-1	1:6.6p1-1
debian 13	openssh	>=0 <1:6.6p1-1	1:6.6p1-1
debian 11	openssh	>=0 <1:6.6p1-1	1:6.6p1-1
rpm rhel7	openssh	<0:6.6.1p1-11.el7	0:6.6.1p1-11.el7
debian 12	openssh	>=0 <1:6.6p1-1	1:6.6p1-1
rpm rhel6	openssh	<0:5.3p1-104.el6	0:5.3p1-104.el6
rpm rhel5	openssh	-	-

Aliases

1. CVE-2014-26532. NVD-2014-26533. OSV-DEBIAN-2014-26534. OSV-2014-26535. SECURITY-TRACKER-CVE-2014-2653

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.