Portable OpenSSH 5.8p2 has just been released. It will be available
from the mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
http://www.openssh.com/donations.html
Changes since OpenSSH 5.8p1
==========================
Security:
* Fix local private host key compromise on platforms without host-
level randomness support (e.g. /dev/random) reported by Tomas Mraz
On hosts that did not have a randomness source configured in
OpenSSL and were not configured to use EGD/PRNGd (using the
--with-prngd-socket configure option), the ssh-rand-helper command
was being implicitly executed by ssh-keysign with open file
descriptors to the host private keys. An attacker could use
ptrace(2) to attach to ssh-rand-helper and exfiltrate the keys.
Most modern operating systems are not vulnerable. In particular,
*BSD, Linux, OS X and Cygwin do not use ssh-rand-helper.
A full advisory for this issue is available at:
http://www.openssh.com/txt/portable-keysign-rand-helper.adv
Portable OpenSSH Bugfixes:
* Fix compilation failure when enabling SELinux support.
* Revised Cygwin ssh-{host,user}-config that include ECDSA key
support.
* Revised Cygwin ssh-host-config to be more thorough in error checking
and reporting.
Checksums:
=========
- SHA1 (openssh-5.8p2.tar.gz) = e610270e0c5484fb291cd81bbcbefbeb5e391a62
Reporting Bugs:
==============
- Please read http://www.openssh.com/report.html
Security bugs should be reported directly to openssh at openssh.com
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.
