debian openssh issue with openssl 1.1.1d

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

debian openssh issue with openssl 1.1.1d

Michael Richardson
Salvatore Bonaccorso <[hidden email]> wrote:
    > -------------------------------------------------------------------------
    > Debian Security Advisory DSA-4539-2                   [hidden email]
    > https://www.debian.org/security/                     Salvatore Bonaccorso
    > October 07, 2019                      https://www.debian.org/security/faq
    > -------------------------------------------------------------------------

    > Package        : openssh
    > Debian Bug     : 941663

    > A change introduced in openssl 1.1.1d (which got released as DSA 4539-1)
    > requires sandboxing features which are not available in Linux kernels
    > before 3.19, resulting in OpenSSH rejecting connection attempts if

I've gone through the changelog for 1.1.1d, but I can't figure out what
1.1.1d would have changed that would have caused this.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     [hidden email]  http://www.sandelman.ca/        |   ruby on rails    [

Reply | Threaded
Open this post in threaded view
|

Re: debian openssh issue with openssl 1.1.1d

OpenSSL - User mailing list
On Tue, Oct 08, 2019 at 05:23:56AM -0400, Michael Richardson wrote:

> Salvatore Bonaccorso <[hidden email]> wrote:
>     > -------------------------------------------------------------------------
>     > Debian Security Advisory DSA-4539-2                   [hidden email]
>     > https://www.debian.org/security/                     Salvatore Bonaccorso
>     > October 07, 2019                      https://www.debian.org/security/faq
>     > -------------------------------------------------------------------------
>
>     > Package        : openssh
>     > Debian Bug     : 941663
>
>     > A change introduced in openssl 1.1.1d (which got released as DSA 4539-1)
>     > requires sandboxing features which are not available in Linux kernels
>     > before 3.19, resulting in OpenSSH rejecting connection attempts if
>
> I've gone through the changelog for 1.1.1d, but I can't figure out what
> 1.1.1d would have changed that would have caused this.

The RNG uses sysV shm to convey to other processes that /dev/[u]random has been
properly seeded, under some configurations/kernel versions.

-Ben
Reply | Threaded
Open this post in threaded view
|

Re: debian openssh issue with openssl 1.1.1d

Viktor Dukhovni
> On Oct 8, 2019, at 6:27 AM, Benjamin Kaduk via openssl-users <[hidden email]> wrote:
>
> The RNG uses sysV shm to convey to other processes that /dev/[u]random has been
> properly seeded, under some configurations/kernel versions.

This apprently affects some sandboxed configurations:

  https://anongit.mindrot.org/openssh.git/commit/?id=3ef92a657444f172b61f92d5da66d94fa8265602

aka

  https://github.com/openssh/openssh-portable/commit/3ef92a657444f172b61f92d5da66d94fa8265602

--
        Viktor.