Found marc.info unreadable on mobile - for me this was much better:
https://seclists.org/oss-sec/2025/q1/144
The section on how this happened reads like a steaming indictment of the concept of secure C code. That’s the interesting part, to me.
And it’s not even about memory safety, just error handling!
Not many people are using VerifyHostKeyDNS yet, but it’s good we’re fixing things before these MITM could do much harm. The resource DoS, though, means it’s definitely time to update OpenSSH. We all have the update in muscle memory now, don’t we? ;)
doas syspatch makes it pretty easy. Couldn’t tell you what people on other operating systems have to do.
doas syspatch
Found marc.info unreadable on mobile - for me this was much better:
https://seclists.org/oss-sec/2025/q1/144
The section on how this happened reads like a steaming indictment of the concept of secure C code. That’s the interesting part, to me.
And it’s not even about memory safety, just error handling!
Not many people are using VerifyHostKeyDNS yet, but it’s good we’re fixing things before these MITM could do much harm. The resource DoS, though, means it’s definitely time to update OpenSSH. We all have the update in muscle memory now, don’t we? ;)
doas syspatchmakes it pretty easy. Couldn’t tell you what people on other operating systems have to do.