[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 1/1] gnu: openssh: Fix CVE-2015-8325.
|
From: |
Ludovic Courtès |
|
Subject: |
Re: [PATCH 1/1] gnu: openssh: Fix CVE-2015-8325. |
|
Date: |
Sun, 17 Apr 2016 16:26:06 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) |
Leo Famulari <address@hidden> skribis:
> On Fri, Apr 15, 2016 at 11:27:35PM +0200, Ludovic Courtès wrote:
>> Leo Famulari <address@hidden> skribis:
>>
>> > * gnu/packages/patches/openssh-CVE-2015-8325.patch: New file.
>> > * gnu-system.am (dist_patch_DATA): Add it.
>> > * gnu/packages/ssh.scm (openssh): Use it.
>>
>> The explanation in the OpenSSH commit log is clear IMO and the fix looks
>> reasonable, so I’d say go for it…
>>
>> … but I can’t seem to find the change in the authoritative repo:
>>
>> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c
>
> The web page for the portable version of OpenSSH [0] (which is what we
> package) says this:
>
> "Normal OpenSSH development produces a very small, secure, and easy to
> maintain version for the OpenBSD project. The OpenSSH Portability Team
> takes that pure version and adds portability code so that OpenSSH can
> run on many other operating systems (Unfortunately, in particular since
> OpenSSH does authentication, it runs into a *lot* of differences between
> Unix operating systems)."
>
> The bug is related to how sshd interacts with PAM. My understanding is
> that OpenBSD does not use PAM, so the bug would not exist in their
> repository.
>
> [0] FYI, I could not load this site over HTTPS
> http://www.openssh.com/portable.html This page also links to the
> repository that contains the patch.
Oh, OK, thanks for the clarification. Well, go for it!
Ludo’.