Re: [PATCH] openssh: CVE-2011-4327

Openembedded Core Discussions
 help / color / mirror / Atom feed

From: "Li.Wang" <Li.Wang@windriver.com>
To: "Burton, Ross" <ross.burton@intel.com>
Cc: openembedded-core@lists.openembedded.org,
	Scott Garman <scott.a.garman@intel.com>
Subject: Re: [PATCH] openssh: CVE-2011-4327
Date: Tue, 4 Dec 2012 09:28:02 +0800	[thread overview]
Message-ID: <50BD51A2.7010208@windriver.com> (raw)
In-Reply-To: <CAJTo0LY0WG_QNWT-aPW1jSnz9Ox8sHLfDQUs6KbXCEgF7zgo0g@mail.gmail.com>

This is my neglect.
The function has already been removed from OpenSSH prior to version 5.8p2:
ChangeLog:
20110505
 - (djm) [Makefile.in WARNING.RNG aclocal.m4 buildpkg.sh.in configure.ac]
   [entropy.c ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c]
   [ssh-keysign.c ssh-pkcs11-helper.c ssh-rand-helper.8 ssh-rand-helper.c]
   [ssh.c ssh_prng_cmds.in sshd.c contrib/aix/buildbff.sh]
   [regress/README.regress] Remove ssh-rand-helper and all its
   tentacles. PRNGd seeding has been rolled into entropy.c directly.
   Thanks to tim@ for testing on affected platforms.

So, please revert the patch.
Thanks,
LiWang.

Burton, Ross wrote:
> On 30 November 2012 22:41, Scott Garman <scott.a.garman@intel.com> wrote:
>   
>> The second link you referenced above explains that the vulnerability exists
>> in versions prior to openssh 5.8p2, and yet your patch was submitted against
>> openssh 6.0p1. So it seems that this would not apply. Or am I
>> misunderstanding the nature of the bug?
>>     
>
> Prior to 5.8p2 *and* not Linux:
>
> 2. Affected configurations
>
>         Portable OpenSSH prior to version 5.8p2 only on platforms
>         that are configured to use ssh-rand-helper for entropy
>         collection.
>
>         ssh-rand-helper is enabled at configure time when it is
>         detected that OpenSSL does not have a built-in source of
>         randomness, and only used at runtime if this condition
>         remains. Platforms that support /dev/random or otherwise
>         configure OpenSSL with a random number provider are not
>         vulnerable.
>
>         In particular, *BSD, OS X, Cygwin and Linux are not
>         affected.
>
> Ross
>

next prev parent reply	other threads:[~2012-12-04  1:42 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-11-27  6:13 [PATCH] openssh: CVE-2011-4327 Li Wang
2012-11-29 17:47 ` Saul Wold
2012-11-30 22:41 ` Scott Garman
2012-12-03 14:13   ` Burton, Ross
2012-12-04  1:28     ` Li.Wang [this message]
  -- strict thread matches above, loose matches on Subject: below --
2012-11-27  5:53 Li Wang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=50BD51A2.7010208@windriver.com \
    --to=li.wang@windriver.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=ross.burton@intel.com \
    --cc=scott.a.garman@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox