8.5p1 <= OpenSSH < 9.8p1 is vulnerable
this post was submitted on 01 Jul 2024
32 points (97.1% liked)
Security
626 readers
1 users here now
A community for discussion about cybersecurity, hacking, cybersecurity news, exploits, bounties etc.
Rules :
- All instance-wide rules apply.
- Keep it totally legal.
- Remember the human, be civil.
- Be helpful, don't be rude.
Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient
founded 1 year ago
MODERATORS
what does that mean? I don't understand multiple signs in the same sentence and what is the significance of having "OpenSSH" in the middle?
You can read them as separate statements with the middle repeated and a logical AND between them:
If (8.5p1 <= your OpenSSH version) AND (your OpenSSH version < 9.8p1) Then you are vulnerable
It’s the same as saying if your OpenSSH version is between these two versions (including 8.5p1, but not 9.8p1), then you are vulnerable
I don't get it... wouldn't everything < 9.8p1 already include <= 8.5p1? So why is it even necessary to mention?
Because this is a regression and this particular issue was introduced in 8.5p1. So it only affects versions newer than that, up until when it was fixed in 9.8p1.
For an integer, 4 < x < 6 x has to be 5. It's the only value that satisfies all sides of the equation.
You are deriving a set of values for open ssh that satisfies all sides of the equation.
I think it's more of a mathematical representation than programming representation (I mean, I don't know of a language that would accept that syntax).
Certainly psuedocode would have quick statements like this
seems to work fine in C and I can find quite a bit of examples of it being used actually
Oh, I can't find any examples. What are you searching for?
The closest I can find is an old hlsl offhand comment showing the syntax in isolation, but no example.
https://stackoverflow.com/a/29689866