[arch-dev-public] [signoff] openssh-5.8p2-1
Gaetan Bisson
bisson at archlinux.org
Tue May 3 04:23:39 CEST 2011
Dear all,
An upstream update to openssh is in [testing]; from the Changelog:
* Fix local private host key compromise on platforms without host-
level randomness support (e.g. /dev/random) reported by Tomas Mraz
On hosts that did not have a randomness source configured in
OpenSSL and were not configured to use EGD/PRNGd (using the
--with-prngd-socket configure option), the ssh-rand-helper command
was being implicitly executed by ssh-keysign with open file
descriptors to the host private keys. An attacker could use
ptrace(2) to attach to ssh-rand-helper and exfiltrate the keys.
Most modern operating systems are not vulnerable. In particular,
*BSD, Linux, OS X and Cygwin do not use ssh-rand-helper.
A full advisory for this issue is available at:
http://www.openssh.com/txt/portable-keysign-rand-helper.adv
There are other minor changes but they don't concern Arch.
Please test and signoff.
--
Gaetan
More information about the arch-dev-public
mailing list