[OE-core] [PATCH] openssh: CVE-2011-4327

Mon Dec 3 14:13:24 UTC 2012

On 30 November 2012 22:41, Scott Garman <scott.a.garman at intel.com> wrote:
> The second link you referenced above explains that the vulnerability exists
> in versions prior to openssh 5.8p2, and yet your patch was submitted against
> openssh 6.0p1. So it seems that this would not apply. Or am I
> misunderstanding the nature of the bug?

Prior to 5.8p2 *and* not Linux:

2. Affected configurations

        Portable OpenSSH prior to version 5.8p2 only on platforms
        that are configured to use ssh-rand-helper for entropy
        collection.

        ssh-rand-helper is enabled at configure time when it is
        detected that OpenSSL does not have a built-in source of
        randomness, and only used at runtime if this condition
        remains. Platforms that support /dev/random or otherwise
        configure OpenSSL with a random number provider are not
        vulnerable.

        In particular, *BSD, OS X, Cygwin and Linux are not
        affected.

Ross