add Spectre variant 2 mitigations
David Newall
openssh at davidnewall.com
Tue Feb 6 20:09:25 AEDT 2018
On 06/02/18 09:29, Darren Tucker wrote:
> Both GCC and clang are adding mitigations for Spectre variant 2 although
> neither have yet made a release and neither are on by default.
>
> After trolling through and building release candidate branches for both
> I believe this is what is required for the ssh programs
Do we need to do anything? It's not clear to me how SSH is vulnerable
to Spectre -- that is, how SSH can be used to execute a Spectre attack?
Browsers are vulnerable because they can be made to load and run
abitrary JS programs. Although SSH can be used to execute arbitrary
programs, they don't run within the SSH processes. Do we truly need to
do anything?
More information about the openssh-unix-dev
mailing list