From 58d1f877a2337cdfa96a862eadb933da0dffdd35 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sat, 27 Feb 2010 20:40:41 +0000
Subject: DEP-3 tagging of autotools, SELinux, key blacklisting, and keepalive
 patches

---
 debian/patches/ssh-vulnkey.patch | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'debian/patches/ssh-vulnkey.patch')

diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index 3e4e96493..b33315677 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -1,3 +1,15 @@
+Description: Reject vulnerable keys to mitigate Debian OpenSSL flaw
+ In 2008, Debian (and derived distributions such as Ubuntu) shipped an
+ OpenSSL package with a flawed random number generator, causing OpenSSH to
+ generate only a very limited set of keys which were subject to private half
+ precomputation.  To mitigate this, this patch checks key authentications
+ against a blacklist of known-vulnerable keys, and adds a new ssh-vulnkey
+ program which can be used to explicitly check keys against that blacklist.
+ See CVE-2008-0166.
+Author: Colin Watson <cjwatson@ubuntu.com>
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469
+Last-Update: 2010-02-27
+
 Index: b/Makefile.in
 ===================================================================
 --- a/Makefile.in
-- 
cgit v1.2.3