Mailing List Archive

Announce: Portable OpenSSH 5.8p2 released
Portable OpenSSH 5.8p2 has just been released. It will be available
from the mirrors listed at shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:

Changes since OpenSSH 5.8p1


* Fix local private host key compromise on platforms without host-
level randomness support (e.g. /dev/random) reported by Tomas Mraz

On hosts that did not have a randomness source configured in
OpenSSL and were not configured to use EGD/PRNGd (using the
--with-prngd-socket configure option), the ssh-rand-helper command
was being implicitly executed by ssh-keysign with open file
descriptors to the host private keys. An attacker could use
ptrace(2) to attach to ssh-rand-helper and exfiltrate the keys.

Most modern operating systems are not vulnerable. In particular,
*BSD, Linux, OS X and Cygwin do not use ssh-rand-helper.

A full advisory for this issue is available at:

Portable OpenSSH Bugfixes:

* Fix compilation failure when enabling SELinux support.

* Revised Cygwin ssh-{host,user}-config that include ECDSA key

* Revised Cygwin ssh-host-config to be more thorough in error checking
and reporting.


- SHA1 (openssh-5.8p2.tar.gz) = e610270e0c5484fb291cd81bbcbefbeb5e391a62

Reporting Bugs:

- Please read
Security bugs should be reported directly to

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.

openssh-unix-dev mailing list