From owner-freebsd-security@FreeBSD.ORG Sun Apr 20 05:48:51 2014 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 146594FA; Sun, 20 Apr 2014 05:48:51 +0000 (UTC) Received: from pacha.mail.dyslexicfish.net (space.mail.dyslexicfish.net [91.109.5.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A25571AE3; Sun, 20 Apr 2014 05:48:50 +0000 (UTC) Received: from catnip.dyslexicfish.net (space.mail.dyslexicfish.net [91.109.5.35]) by pacha.mail.dyslexicfish.net (8.14.5/8.14.5) with ESMTP id s3K5mVuZ055245; Sun, 20 Apr 2014 06:48:31 +0100 (BST) (envelope-from jamie@catnip.dyslexicfish.net) Received: (from jamie@localhost) by catnip.dyslexicfish.net (8.14.5/8.14.5/Submit) id s3K5mV7N055244; Sun, 20 Apr 2014 06:48:31 +0100 (BST) (envelope-from jamie) From: Jamie Landeg-Jones Message-Id: <201404200548.s3K5mV7N055244@catnip.dyslexicfish.net> Date: Sun, 20 Apr 2014 06:48:31 +0100 To: matt@chronos.org.uk, jamie@dyslexicfish.net, freebsd-security@FreeBSD.org, bdrewery@FreeBSD.org Subject: Re: De Raadt + FBSD + OpenSSH + hole? References: <534B11F0.9040400@paladin.bulgarpress.com> <201404141207.s3EC7IvT085450@chronos.org.uk> <201404141232.s3ECWFQ1081178@catnip.dyslexicfish.net> <53522186.9030207@FreeBSD.org> In-Reply-To: <53522186.9030207@FreeBSD.org> User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (pacha.mail.dyslexicfish.net [91.109.5.35]); Sun, 20 Apr 2014 06:48:32 +0100 (BST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2014 05:48:51 -0000 Bryan Drewery wrote: > On 4/14/2014 7:32 AM, Jamie Landeg-Jones wrote: > > > > As to the specific question, I don't think his ego would allow a bug > > in openssh to persist, so even if it does, I'd suspect it's not too > > serious (or it's non-trivial to exploit), and it's related to FreeBSD > > produced 'glue'. > > > > This is total guesswork on my part, but I'd therefore assume he was > > talkining about openssh in base, rarther than openssh-portable in > > ports. > > > > As the maintainer of the port I will say that your security decreases > with each OPTION/patch you apply. I really would not be surprised if one > of the optional patches available in the port had issues. Ahhhh. good point. I forgot about third-party patches. Yeah, if he's not just blowing smoke, that would make the most sense. I don't reckon he'd leave an exploit open if it was purely related to the unpatched source - even if there is some quirk which only makes it only applicable to FreeBSD. Still, by not revealing it, he's only potentially hurting the users. I wonder how many blackhats are going to use this thread as a heads-up? Cheers, Jamie