[OE-core] [PATCH] openssh: CVE-2011-4327
Burton, Ross
ross.burton at intel.com
Mon Dec 3 14:13:24 UTC 2012
On 30 November 2012 22:41, Scott Garman <scott.a.garman at intel.com> wrote:
> The second link you referenced above explains that the vulnerability exists
> in versions prior to openssh 5.8p2, and yet your patch was submitted against
> openssh 6.0p1. So it seems that this would not apply. Or am I
> misunderstanding the nature of the bug?
Prior to 5.8p2 *and* not Linux:
2. Affected configurations
Portable OpenSSH prior to version 5.8p2 only on platforms
that are configured to use ssh-rand-helper for entropy
collection.
ssh-rand-helper is enabled at configure time when it is
detected that OpenSSL does not have a built-in source of
randomness, and only used at runtime if this condition
remains. Platforms that support /dev/random or otherwise
configure OpenSSL with a random number provider are not
vulnerable.
In particular, *BSD, OS X, Cygwin and Linux are not
affected.
Ross
More information about the Openembedded-core
mailing list