Date: Sun, 20 Apr 2014 06:48:31 +0100 From: Jamie Landeg-Jones <jamie@dyslexicfish.net> To: matt@chronos.org.uk, jamie@dyslexicfish.net, freebsd-security@FreeBSD.org, bdrewery@FreeBSD.org Subject: Re: De Raadt + FBSD + OpenSSH + hole? Message-ID: <201404200548.s3K5mV7N055244@catnip.dyslexicfish.net> In-Reply-To: <53522186.9030207@FreeBSD.org> References: <534B11F0.9040400@paladin.bulgarpress.com> <201404141207.s3EC7IvT085450@chronos.org.uk> <201404141232.s3ECWFQ1081178@catnip.dyslexicfish.net> <53522186.9030207@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Bryan Drewery <bdrewery@FreeBSD.org> wrote: > On 4/14/2014 7:32 AM, Jamie Landeg-Jones wrote: > > > > As to the specific question, I don't think his ego would allow a bug > > in openssh to persist, so even if it does, I'd suspect it's not too > > serious (or it's non-trivial to exploit), and it's related to FreeBSD > > produced 'glue'. > > > > This is total guesswork on my part, but I'd therefore assume he was > > talkining about openssh in base, rarther than openssh-portable in > > ports. > > > > As the maintainer of the port I will say that your security decreases > with each OPTION/patch you apply. I really would not be surprised if one > of the optional patches available in the port had issues. Ahhhh. good point. I forgot about third-party patches. Yeah, if he's not just blowing smoke, that would make the most sense. I don't reckon he'd leave an exploit open if it was purely related to the unpatched source - even if there is some quirk which only makes it only applicable to FreeBSD. Still, by not revealing it, he's only potentially hurting the users. I wonder how many blackhats are going to use this thread as a heads-up? Cheers, Jamie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404200548.s3K5mV7N055244>