From owner-freebsd-security@FreeBSD.ORG Sat Apr 19 07:11:10 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 55877235 for ; Sat, 19 Apr 2014 07:11:10 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1C1201612 for ; Sat, 19 Apr 2014 07:11:10 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3J7B9Ln096774 for ; Sat, 19 Apr 2014 07:11:09 GMT (envelope-from bdrewery@freefall.freebsd.org) Received: (from bdrewery@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3J7B9SW096771 for freebsd-security@freebsd.org; Sat, 19 Apr 2014 07:11:09 GMT (envelope-from bdrewery) Received: (qmail 65548 invoked from network); 19 Apr 2014 02:11:07 -0500 Received: from unknown (HELO ?10.10.0.24?) (freebsd@shatow.net@10.10.0.24) by sweb.xzibition.com with ESMTPA; 19 Apr 2014 02:11:07 -0500 Message-ID: <53522186.9030207@FreeBSD.org> Date: Sat, 19 Apr 2014 02:11:02 -0500 From: Bryan Drewery Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Jamie Landeg-Jones , matt@chronos.org.uk, freebsd-security@freebsd.org Subject: Re: De Raadt + FBSD + OpenSSH + hole? References: <534B11F0.9040400@paladin.bulgarpress.com> <201404141207.s3EC7IvT085450@chronos.org.uk> <201404141232.s3ECWFQ1081178@catnip.dyslexicfish.net> In-Reply-To: <201404141232.s3ECWFQ1081178@catnip.dyslexicfish.net> X-Enigmail-Version: 1.6 OpenPGP: id=6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Brm0le8XSWtQUgIkcvVj5GvFmEXSX9kNh" X-Mailman-Approved-At: Sat, 19 Apr 2014 18:19:01 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Apr 2014 07:11:10 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Brm0le8XSWtQUgIkcvVj5GvFmEXSX9kNh Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 4/14/2014 7:32 AM, Jamie Landeg-Jones wrote: > Matt Dawson wrote: >=20 >> My first thought when I saw this was "ego over ethics," which says mor= e >> about Theo than FreeBSD. >=20 > Totally. >=20 > I know Theo has a reputation for being 'difficult', but in my opinion, > this outburst really calls into question his perceived motivations > regarding secure software. >=20 > As to the specific question, I don't think his ego would allow a bug > in openssh to persist, so even if it does, I'd suspect it's not too > serious (or it's non-trivial to exploit), and it's related to FreeBSD > produced 'glue'. >=20 > This is total guesswork on my part, but I'd therefore assume he was > talkining about openssh in base, rarther than openssh-portable in > ports. >=20 As the maintainer of the port I will say that your security decreases with each OPTION/patch you apply. I really would not be surprised if one of the optional patches available in the port had issues. --=20 Regards, Bryan Drewery --Brm0le8XSWtQUgIkcvVj5GvFmEXSX9kNh Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTUiGGAAoJEDXXcbtuRpfPTNoIANblIe8v5jAl4QNT8FapyKtw 0SN5a0qHyLKPGhE1gTBsiZabM/B3hR1d62ph0U4L+fGv/+pBlaO1KmGBg5Oekjf8 MzTEJPC7veQeEFCZDgu0hVTiPYLAA0MtwmSkxgVu8Dppm3pDE/07mj/sZvW+kMSA vxWLg+xmJq4SjbW3srA0kHHOw9a22wIIQMiGXmNAruLlXa49eWzDRUXfpkX/3S0D 0/ks4AgQ2FC+62MY/FG4waOjVWtX7zamPDSk+JmgRVFPlaDdRirTpmqIR91aFeud 1mlpV4VUAvDxeSTjk5bKV4kD+nCg2IpXaTo14fXDFk7B1fnihOPPZul483LcuJk= =5Okr -----END PGP SIGNATURE----- --Brm0le8XSWtQUgIkcvVj5GvFmEXSX9kNh--