On 06/02/18 09:29, Darren Tucker wrote:
Both GCC and clang are adding mitigations for Spectre variant 2 although neither have yet made a release and neither are on by default. After trolling through and building release candidate branches for both I believe this is what is required for the ssh programs
Do we need to do anything? It's not clear to me how SSH is vulnerable to Spectre -- that is, how SSH can be used to execute a Spectre attack? Browsers are vulnerable because they can be made to load and run abitrary JS programs. Although SSH can be used to execute arbitrary programs, they don't run within the SSH processes. Do we truly need to do anything?
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev