Leo Famulari <l...@famulari.name> skribis: > On Fri, Apr 15, 2016 at 11:27:35PM +0200, Ludovic Courtès wrote: >> Leo Famulari <l...@famulari.name> skribis: >> >> > * gnu/packages/patches/openssh-CVE-2015-8325.patch: New file. >> > * gnu-system.am (dist_patch_DATA): Add it. >> > * gnu/packages/ssh.scm (openssh): Use it. >> >> The explanation in the OpenSSH commit log is clear IMO and the fix looks >> reasonable, so I’d say go for it… >> >> … but I can’t seem to find the change in the authoritative repo: >> >> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c > > The web page for the portable version of OpenSSH [0] (which is what we > package) says this: > > "Normal OpenSSH development produces a very small, secure, and easy to > maintain version for the OpenBSD project. The OpenSSH Portability Team > takes that pure version and adds portability code so that OpenSSH can > run on many other operating systems (Unfortunately, in particular since > OpenSSH does authentication, it runs into a *lot* of differences between > Unix operating systems)." > > The bug is related to how sshd interacts with PAM. My understanding is > that OpenBSD does not use PAM, so the bug would not exist in their > repository. > > [0] FYI, I could not load this site over HTTPS > http://www.openssh.com/portable.html This page also links to the > repository that contains the patch.
Oh, OK, thanks for the clarification. Well, go for it! Ludo’.
