Need Help to Fix CVE-2008-1483, CVE-2008-5161, CVE-2015-5600 and CVE-2015-6565

Damien Miller djm at mindrot.org
Tue Mar 15 03:42:10 AEDT 2016


On Mon, 14 Mar 2016, abhi dhiman wrote:

> Hi All,
> 
> Please direct me to the code changes for above vulnerabilities.
> We don't have a vendor but we use Openssh in our software. So can't upgrade
> it right now.

OpenSSH is maintained by a small team who only have the resources to
support the current version. If you need to generate cherry-pick
patches then you'll either need to do it yourself or find a competent
developer to do it for you.

Finding them yourself isn't too hard: checkout the version containing
the fix from git and look at the commit log. Security vulnerabilities
usually preciptate a release quite quickly, so it will like be one of
the last commits in the log. Do be careful: people have caused problem
by mis-applying cherry-pick patches inappropriately before. It's
much better just to use the latest version.

-d


More information about the openssh-unix-dev mailing list