[OE-core] [PATCH] openssh: CVE-2011-4327
Li.Wang
Li.Wang at windriver.com
Tue Dec 4 01:28:02 UTC 2012
This is my neglect.
The function has already been removed from OpenSSH prior to version 5.8p2:
ChangeLog:
20110505
- (djm) [Makefile.in WARNING.RNG aclocal.m4 buildpkg.sh.in configure.ac]
[entropy.c ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c]
[ssh-keysign.c ssh-pkcs11-helper.c ssh-rand-helper.8 ssh-rand-helper.c]
[ssh.c ssh_prng_cmds.in sshd.c contrib/aix/buildbff.sh]
[regress/README.regress] Remove ssh-rand-helper and all its
tentacles. PRNGd seeding has been rolled into entropy.c directly.
Thanks to tim@ for testing on affected platforms.
So, please revert the patch.
Thanks,
LiWang.
Burton, Ross wrote:
> On 30 November 2012 22:41, Scott Garman <scott.a.garman at intel.com> wrote:
>
>> The second link you referenced above explains that the vulnerability exists
>> in versions prior to openssh 5.8p2, and yet your patch was submitted against
>> openssh 6.0p1. So it seems that this would not apply. Or am I
>> misunderstanding the nature of the bug?
>>
>
> Prior to 5.8p2 *and* not Linux:
>
> 2. Affected configurations
>
> Portable OpenSSH prior to version 5.8p2 only on platforms
> that are configured to use ssh-rand-helper for entropy
> collection.
>
> ssh-rand-helper is enabled at configure time when it is
> detected that OpenSSL does not have a built-in source of
> randomness, and only used at runtime if this condition
> remains. Platforms that support /dev/random or otherwise
> configure OpenSSL with a random number provider are not
> vulnerable.
>
> In particular, *BSD, OS X, Cygwin and Linux are not
> affected.
>
> Ross
>
More information about the Openembedded-core
mailing list