oss-sec mailing list archives
Re: Announce: OpenSSH 9.3p2 released
From: Matthew Fernandez <matthew.fernandez () gmail com>
Date: Fri, 21 Jul 2023 11:04:49 +1000
On 7/20/23 23:41, Sevan Janiyan wrote:
On 20/07/2023 14:24, Demi Marie Obenour wrote:Should there be a system-wide configuration file containing a list of known-good PKCS#11 libraries? ssh-agent having to guess if something is a PKCS#11 library is less than awesome.There's a compile time setting for paths from which you are able to load libraries from.
I don’t think this helps much though, right? The Qualys research that motivated this found an exploit chain using only libs present in /usr/lib in a default Ubuntu install. If you want to lock down loading to a specific non-/usr/lib path that you have control over, this suggests you know and are in control of the PKCS#11 providers you’re going to support. In which case, why not avoid dynamic loading to begin with? I guess the allowlist and new defaults are the answer to this conundrum though.
Current thread:
- Announce: OpenSSH 9.3p2 released Damien Miller (Jul 19)
- Re: Announce: OpenSSH 9.3p2 released Demi Marie Obenour (Jul 20)
- Re: Announce: OpenSSH 9.3p2 released Sevan Janiyan (Jul 20)
- Re: Announce: OpenSSH 9.3p2 released Matthew Fernandez (Jul 20)
- Re: Announce: OpenSSH 9.3p2 released Marcus Meissner (Jul 21)
- Re: Announce: OpenSSH 9.3p2 released Demi Marie Obenour (Jul 21)
- Re: Announce: OpenSSH 9.3p2 released Qualys Security Advisory (Jul 21)
- Re: Announce: OpenSSH 9.3p2 released Sevan Janiyan (Jul 21)
- Re: Announce: OpenSSH 9.3p2 released Sevan Janiyan (Jul 20)
- Re: Announce: OpenSSH 9.3p2 released Demi Marie Obenour (Jul 20)