Package: openssh-client Version: 1:7.4p1-10+deb9u4 Severity: minor Tags: patch
I was curious about how OpenSSH does DNSSEC validation, and found the patch that adds support for doing this with glibc (dnssec-sshfp.patch). However, there is a minor bug in the change to getrrsetbyname(). It validates the flags parameter with: if ((flags & !RRSET_FORCE_EDNS0) != 0) { ... } But this condition will always be false, because !RRSET_FORCE_EDNS0 == 0. The "!" operator was presumably meant to be "~". Ben. -- System Information: Debian Release: 9.5 APT prefers stable APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386, armhf Kernel: Linux 4.9.0-7-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages openssh-client depends on: ii adduser 3.115 ii dpkg 1.18.25 ii libc6 2.24-11+deb9u3 ii libedit2 3.1-20160903-3 ii libgssapi-krb5-2 1.15-1+deb9u1 ii libselinux1 2.6-3+b3 ii libssl1.0.2 1.0.2l-2+deb9u3 ii passwd 1:4.4-4.1 ii zlib1g 1:1.2.8.dfsg-5 Versions of packages openssh-client recommends: ii xauth 1:1.0.9-1+b2 Versions of packages openssh-client suggests: pn keychain <none> pn libpam-ssh <none> pn monkeysphere <none> pn ssh-askpass <none> -- no debconf information -- Ben Hutchings, Software Developer Codethink Ltd https://www.codethink.co.uk/ Dale House, 35 Dale Street Manchester, M1 2HF, United Kingdom