OpenSSH 5.8 addresses legacy certificate signing vulnerability
Less than two weeks after OpenSSH 5.7 arrived, the OpenSSH development team has released version 5.8 / 5.8p1 of its open source SSH (Secure Shell) implementation. According to the developers, the latest update addressees a legacy certificate signing vulnerability that was introduced in OpenSSH 5.6 which could lead to "leaking confidential information". Users that are unable to update to the latest release are advised to avoid generating legacy certificates using OpenSSH 5.6 or 5.7 – legacy certificates are requested by using the "-t" command line option on the ssh-keygen.
A number of bugs have also been fixed in the portable version of OpenSSH. The developers ask that any further bugs found in the release are reported following the procedure outlined on the OpenSSL bug report page – security bugs should be reported directly to openssh@openssh.com. All users are advised to upgrade to the latest release.
More details about the release can be found in the release notes and in the official security advisory. OpenSSH 5.8 is available to download from one of the project's FTP mirrors. OpenSSH is made available under a BSD licence and is funded through donations.
See also:
- OpenSSH Security Advisory: legacy-certs.adv, an OpenSSH security advisory.
- OpenSSH Legacy Certificates Stack Memory Leak Weakness, security advisory from Secunia.
(crve)