openssh bugs - Jan 2024 - [Bug 3656] New: How to fix row hammer attacks？

https://bugzilla.mindrot.org/show_bug.cgi?id=3656

            Bug ID: 3656
           Summary: How to fix row hammer attacks?
           Product: Portable OpenSSH
           Version: -current
          Hardware: All
                OS: All
            Status: NEW
          Severity: security
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: rmsh1216 at 163.com

A new vulnerability (CVE-2023-51767) in openssh has been published, but
there seems to be no fix yet. 
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-51767

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3656

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
This attack was not demonstrated against stock OpenSSH, but instead
against a modified sshd that had extra synchronisation added to make
the attack easier. AFAIK achieving the timing required to successfully
exploit is close to impossible in the real world. See section 9 of
their paper https://arxiv.org/pdf/2309.02545.pdf

They don't mention it, but any kind of ASLR would increase the
difficulty of attack by several orders of magnitude.

Nobody has demonstrated this attack against a configuration remotely
approximating real-world conditions. We consider rowhammer mitigation
to the job of the platform, not userspace software.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3656

renmingshuai <rmsh1216 at 163.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3656

Clint.Clayton at dell.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |Clint.Clayton at dell.com

--- Comment #2 from Clint.Clayton at dell.com ---
This bug was set to resolved / fixed.

Was there a fix committed to the git repository?
I couldn't find one in https://anongit.mindrot.org/openssh.git/log

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3656

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
No, see comment 1 here

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3656

renmingshuai <rmsh1216 at 163.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3656

renmingshuai <rmsh1216 at 163.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|FIXED                       |WONTFIX

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.