[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Announce: OpenSSH 9.3p2 released
From:       Qualys Security Advisory <qsa () qualys ! com>
Date:       2023-07-21 12:10:31
Message-ID: 20230721121019.GB25354 () localhost ! localdomain
[Download RAW message or body]

Hi,

On Thu, Jul 20, 2023 at 09:22:08PM -0400, Demi Marie Obenour wrote:
> IMO the root cause of this problem is that PKCS#11 libraries are installed
> in /usr/lib, rather than in /usr/lib/pkcs11 or another subdirectory.
> There should be an automated way to check if a library is a PKCS#11
> library without having to load it.

Wednesday's release was a security-only release, the two patches it
contains are very simple, unlikely to break any existing installation,
and one of these patches at least (the s/error/fatal/ one) is very easy
to backport.

But the OpenSSH developers have done an amazing job and have not only
prepared these security-only patches, they have also prepared two more
defense-in-depth patches (which are more intrusive and therefore need
testing by the community first):

https://github.com/openssh/openssh-portable/commit/29ef8a04866ca14688d5b7fed7b8b9deab851f77
https://github.com/openssh/openssh-portable/commit/099cdf59ce1e72f55d421c8445bf6321b3004755

The first one of these patches is probably what you are looking for
("check if a library is a PKCS#11 library without having to load it").

Thanks again to the OpenSSH developers for their incredible work! With
best regards,

-- 
the Qualys Security Advisory team=
[prev in list] [next in list] [prev in thread] [next in thread]