oss-sec mailing list archives
Re: Announce: OpenSSH 9.3p2 released
From: Qualys Security Advisory <qsa () qualys com>
Date: Fri, 21 Jul 2023 12:10:31 +0000
Hi, On Thu, Jul 20, 2023 at 09:22:08PM -0400, Demi Marie Obenour wrote:
IMO the root cause of this problem is that PKCS#11 libraries are installed in /usr/lib, rather than in /usr/lib/pkcs11 or another subdirectory. There should be an automated way to check if a library is a PKCS#11 library without having to load it.
Wednesday's release was a security-only release, the two patches it contains are very simple, unlikely to break any existing installation, and one of these patches at least (the s/error/fatal/ one) is very easy to backport. But the OpenSSH developers have done an amazing job and have not only prepared these security-only patches, they have also prepared two more defense-in-depth patches (which are more intrusive and therefore need testing by the community first): https://github.com/openssh/openssh-portable/commit/29ef8a04866ca14688d5b7fed7b8b9deab851f77 https://github.com/openssh/openssh-portable/commit/099cdf59ce1e72f55d421c8445bf6321b3004755 The first one of these patches is probably what you are looking for ("check if a library is a PKCS#11 library without having to load it"). Thanks again to the OpenSSH developers for their incredible work! With best regards, -- the Qualys Security Advisory team
Current thread:
- Announce: OpenSSH 9.3p2 released Damien Miller (Jul 19)
- Re: Announce: OpenSSH 9.3p2 released Demi Marie Obenour (Jul 20)
- Re: Announce: OpenSSH 9.3p2 released Sevan Janiyan (Jul 20)
- Re: Announce: OpenSSH 9.3p2 released Matthew Fernandez (Jul 20)
- Re: Announce: OpenSSH 9.3p2 released Marcus Meissner (Jul 21)
- Re: Announce: OpenSSH 9.3p2 released Demi Marie Obenour (Jul 21)
- Re: Announce: OpenSSH 9.3p2 released Qualys Security Advisory (Jul 21)
- Re: Announce: OpenSSH 9.3p2 released Sevan Janiyan (Jul 21)
- Re: Announce: OpenSSH 9.3p2 released Sevan Janiyan (Jul 20)
- Re: Announce: OpenSSH 9.3p2 released Demi Marie Obenour (Jul 20)