CVE-2024-39894 Information

Description

OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g. for su and Sudo) because of an ObscureKeystrokeTiming logic error. Similarly other timing attacks against keystroke entry could occur.

Reference

https://www.openssh.com/txt/release-9.8 https://lists.mindrot.org/pipermail/openssh-unix-announce/2024-July/000158.html https://www.openwall.com/lists/oss-security/2024/07/02/1 http://www.openwall.com/lists/oss-security/2024/07/03/6