Dear all, An upstream update to openssh is in [testing]; from the Changelog:
* Fix local private host key compromise on platforms without host- level randomness support (e.g. /dev/random) reported by Tomas Mraz On hosts that did not have a randomness source configured in OpenSSL and were not configured to use EGD/PRNGd (using the --with-prngd-socket configure option), the ssh-rand-helper command was being implicitly executed by ssh-keysign with open file descriptors to the host private keys. An attacker could use ptrace(2) to attach to ssh-rand-helper and exfiltrate the keys. Most modern operating systems are not vulnerable. In particular, *BSD, Linux, OS X and Cygwin do not use ssh-rand-helper. A full advisory for this issue is available at: http://www.openssh.com/txt/portable-keysign-rand-helper.adv There are other minor changes but they don't concern Arch. Please test and signoff. -- Gaetan
