Hi.
There is a security bug in package 'openssh'.

This bug is public.

There is no coordinated release date (CRD) set.

More information can be found here:
	http://www.openssh.com/txt/release-5.8p2


Original posting:



http://www.openssh.com/txt/release-5.8p2

Changes since OpenSSH 5.8p1
===========================

Security:

 * Fix local private host key compromise on platforms without host-
   level randomness support (e.g. /dev/random) reported by Tomas Mraz

   On hosts that did not have a randomness source configured in
   OpenSSL and were not configured to use EGD/PRNGd (using the
   --with-prngd-socket configure option), the ssh-rand-helper command
   was being implicitly executed by ssh-keysign with open file
   descriptors to the host private keys. An attacker could use
   ptrace(2) to attach to ssh-rand-helper and exfiltrate the keys.

   Most modern operating systems are not vulnerable. In particular,
   *BSD, Linux, OS X and Cygwin do not use ssh-rand-helper.

   A full advisory for this issue is available at:
   http://www.openssh.com/txt/portable-keysign-rand-helper.adv