DEP-3 tagging of autotools, SELinux, key blacklisting, and keepalive patches

author: Colin Watson <cjwatson@debian.org> 2010-02-27 20:40:41 +0000
committer: Colin Watson <cjwatson@debian.org> 2010-02-27 20:40:41 +0000
commit: 58d1f877a2337cdfa96a862eadb933da0dffdd35 (patch)
tree: e6a1ab8af7aad7a5cc11d8414e2e74a0fb14e790 /debian/patches/ssh-vulnkey.patch
parent: 56276d29ea829cd4c92cd881b496388d93c23dee (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index 3e4e96493..b33315677 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -1,3 +1,15 @@
+Description: Reject vulnerable keys to mitigate Debian OpenSSL flaw
+ In 2008, Debian (and derived distributions such as Ubuntu) shipped an
+ OpenSSL package with a flawed random number generator, causing OpenSSH to
+ generate only a very limited set of keys which were subject to private half
+ precomputation.  To mitigate this, this patch checks key authentications
+ against a blacklist of known-vulnerable keys, and adds a new ssh-vulnkey
+ program which can be used to explicitly check keys against that blacklist.
+ See CVE-2008-0166.
+Author: Colin Watson <cjwatson@ubuntu.com>
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469
+Last-Update: 2010-02-27
 Index: b/Makefile.in
 ===================================================================
 --- a/Makefile.in
author	Colin Watson <cjwatson@debian.org>	2010-02-27 20:40:41 +0000
committer	Colin Watson <cjwatson@debian.org>	2010-02-27 20:40:41 +0000
commit	58d1f877a2337cdfa96a862eadb933da0dffdd35 (patch)
tree	e6a1ab8af7aad7a5cc11d8414e2e74a0fb14e790 /debian/patches/ssh-vulnkey.patch
parent	56276d29ea829cd4c92cd881b496388d93c23dee (diff)

diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch index 3e4e96493..b33315677 100644 --- a/debian/patches/ssh-vulnkey.patch +++ b/debian/patches/ssh-vulnkey.patch
@@ -1,3 +1,15 @@
		1	Description: Reject vulnerable keys to mitigate Debian OpenSSL flaw
		2	In 2008, Debian (and derived distributions such as Ubuntu) shipped an
		3	OpenSSL package with a flawed random number generator, causing OpenSSH to
		4	generate only a very limited set of keys which were subject to private half
		5	precomputation. To mitigate this, this patch checks key authentications
		6	against a blacklist of known-vulnerable keys, and adds a new ssh-vulnkey
		7	program which can be used to explicitly check keys against that blacklist.
		8	See CVE-2008-0166.
		9	Author: Colin Watson <cjwatson@ubuntu.com>
		10	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469
		11	Last-Update: 2010-02-27
		12
1	Index: b/Makefile.in	13	Index: b/Makefile.in
2	===================================================================	14	===================================================================
3	--- a/Makefile.in	15	--- a/Makefile.in