From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: [PATCH 0/1] openssh: Fix CVE-2015-8325
Date: Fri, 15 Apr 2016 14:22:54 -0400
Message-ID: <cover.1460744429.git.leo@famulari.name>
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:34071)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1ar8OA-0002tx-K4
	for guix-devel@gnu.org; Fri, 15 Apr 2016 14:22:43 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1ar8O6-00005y-AX
	for guix-devel@gnu.org; Fri, 15 Apr 2016 14:22:42 -0400
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:39737)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1ar8O6-00005l-4T
	for guix-devel@gnu.org; Fri, 15 Apr 2016 14:22:38 -0400
Received: from jasmine.fios-router.home
	(static-98-115-19-163.phlapa.fios.verizon.net [98.115.19.163])
	by mail.messagingengine.com (Postfix) with ESMTPA id 5B3E6680291
	for <guix-devel@gnu.org>; Fri, 15 Apr 2016 14:22:37 -0400 (EDT)
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org

Debian has applied an upstream patch to fix CVE-2015-8325 [0][1][2] in
OpenSSH [3].

OpenSSH builds and seems to work with this patch.

I can't find any public and "official" announcement of this issue yet.
For example, not from Mitre or OpenSSH themselves, aside from the
OpenSSH commit log. For this reason, I want to wait for an "okay" from
other Guix developers.

Please advise, and feel free to apply the patch yourself if appropriate.

[0]
https://security-tracker.debian.org/tracker/CVE-2015-8325

[1]
https://anongit.mindrot.org/openssh.git/commit/?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755

[2]
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8325

[3]
http://www.openssh.com/portable.html

Leo Famulari (1):
  gnu: openssh: Fix CVE-2015-8325.

 gnu-system.am                                    |  1 +
 gnu/packages/patches/openssh-CVE-2015-8325.patch | 31 ++++++++++++++++++++++++
 gnu/packages/ssh.scm                             |  3 ++-
 3 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/openssh-CVE-2015-8325.patch

-- 
2.7.3