Commits for CVE-2021-41617

Darren Tucker dtucker at dtucker.net
Thu Sep 30 16:56:41 AEST 2021


On Thu, 30 Sept 2021 at 16:37, Jan Damborsky <dambi at tio.cz> wrote:

> I am now in process of preparing patch for OpenSSH 8.4p1
> to address CVE-2021-41617 (fixed in OpenSSH 8.8p1),
> but it is not quite clear to me which particular
> commits are relevant.
>
> So far I have identified following ones:
>
>
> https://github.com/openssh/openssh-portable/commit/f3cbe43e28fe71427d41cfe3a17125b972710455
>
> https://github.com/openssh/openssh-portable/commit/bf944e3794eff5413f2df1ef37cddf96918c6bde
>
> Could you please let me know that those are
> the right ones or if there are more commits
> to be included?
>

That's them.  You can cross-check against the equivalent patch for OpenBSD
-stable:
https://ftp.openbsd.org/pub/OpenBSD/patches/6.9/common/016_sshd.patch.sig

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list