Description
It was discovered that OpenSSH clients did not correctly verify DNS SSHFP
records. A malicious server could use this flaw to force a connecting client to
skip the DNS SSHFP record check and require the user to perform manual host
verification of the DNS SSHFP record. (CVE-2014-2653)
It was found that when OpenSSH was used in a Kerberos environment, remote
authenticated users were allowed to log in as a different user if they were
listed in the ~/.k5users file of that user, potentially bypassing intended
authentication restrictions. (CVE-2014-9278)