according to this article:
OpenSSH 7.9 and earlier contain a set of vulnerabilities that date back to 1983.
CVE-2018-20685 - server can alter directory permissions on the client
CVE-2019-6111 - server can send arbitrary files not requested by the client, even overwriting files in the client's file system.
CVE-2019-6109, CVE-2019-6110 - server can alter the object name or output display on the ssh client to hide files being copied
There is apparently a patch available, linked to from the article mentioned above, which appears to apply to -CURRENT from a few days ago. I have not attempted to build the source. however, the patch is available here:
Since I have only verified that the code in the FreeBSD crypto/openssh tree does not appear to have been patched for these vulnerabilities, I can not for certain say that they exist; however, it is extremely likely and needs to be brought to the attention of the appropriate people.
CC'ING secteam, perhaps
base r343043 by emaste@ addressed one of the issues (CVE-2018-20685)
CC bdrewery (security/openssh-portable maintainer)
According to the article/announcement details, openssh is vulnerable to all four CVE's.
I'd use this as a parent coordinator issue, with separate sub issues created for each of base openssh and ports openssh being tracked separately for clarity of merges (base issues only multiple MFC flags, ports issues have a single merge quarterly flag), and given base and ports components have different maintainers.
When in releng?
Patch in review https://reviews.freebsd.org/D19076
Does ports-secteam have to be active here?