Damien Miller
2011-May-03 00:50 UTC
[openssh-unix-announce] Announce: Portable OpenSSH 5.8p2 released
Portable OpenSSH 5.8p2 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: http://www.openssh.com/donations.html Changes since OpenSSH 5.8p1 ========================== Security: * Fix local private host key compromise on platforms without host- level randomness support (e.g. /dev/random) reported by Tomas Mraz On hosts that did not have a randomness source configured in OpenSSL and were not configured to use EGD/PRNGd (using the --with-prngd-socket configure option), the ssh-rand-helper command was being implicitly executed by ssh-keysign with open file descriptors to the host private keys. An attacker could use ptrace(2) to attach to ssh-rand-helper and exfiltrate the keys. Most modern operating systems are not vulnerable. In particular, *BSD, Linux, OS X and Cygwin do not use ssh-rand-helper. A full advisory for this issue is available at: http://www.openssh.com/txt/portable-keysign-rand-helper.adv Portable OpenSSH Bugfixes: * Fix compilation failure when enabling SELinux support. * Revised Cygwin ssh-{host,user}-config that include ECDSA key support. * Revised Cygwin ssh-host-config to be more thorough in error checking and reporting. Checksums: ========= - SHA1 (openssh-5.8p2.tar.gz) = e610270e0c5484fb291cd81bbcbefbeb5e391a62 Reporting Bugs: ============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh at openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.