From owner-freebsd-security@FreeBSD.ORG Sun May 25 09:15:51 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 26F14253 for ; Sun, 25 May 2014 09:15:51 +0000 (UTC) Received: from sender1.zohomail.com (sender1.zohomail.com [72.5.230.103]) by mx1.freebsd.org (Postfix) with ESMTP id 0F6382DCB for ; Sun, 25 May 2014 09:15:50 +0000 (UTC) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=zapps768; d=zoho.com; h=date:from:to:cc:subject:message-id:references:mime-version:content-type:in-reply-to:user-agent:sender; b=mnsEqs/JqYz2BvmwC2nzqoakQbI4HPZjS/T7mt/5VtsMoDXzVk4PnXA3SKee01ENphi3vu/hZ84z T/laU7Hlr7936ybiA5WQyZGuIFlcfdEFGSuPN2T0Em9nxGhN4Ah0 Received: from sol (21-157-103-86.dynamic.dsl.tng.de [86.103.157.21]) by mx.zohomail.com with SMTPS id 1401008298593446.0385811052279; Sun, 25 May 2014 01:58:18 -0700 (PDT) Date: Sun, 25 May 2014 10:58:09 +0200 From: kaltheat@googlemail.com To: Todor Todorov Subject: Re: De Raadt + FBSD + OpenSSH + hole? Message-ID: <20140525085809.GA1531@sol> References: <534B11F0.9040400@paladin.bulgarpress.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <534B11F0.9040400@paladin.bulgarpress.com> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: kaltheat@zoho.com X-ZohoMailClient: External X-Zoho-Virus-Status: 2 X-Mailman-Approved-At: Sun, 25 May 2014 22:03:41 +0000 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 May 2014 09:15:51 -0000 On Mon, Apr 14, 2014 at 01:38:40AM +0300, Todor Todorov wrote: > Hi everyone, > I came across this : > > https://groups.google.com/forum/#!topic/mailing.openbsd.tech/xALfxxR3oKo > > " You are welcome. Stuart Henderson wrote the draft, but he forgot that > part, and Damien Miller and I realized it was needed. We sensed there > might be some ambiguity... we'll take care the next time an > OpenOffice problem also. > > ... as long as you aren't using FreeBSD or a derivative (hint: Jupiper), > you are fine. That's the only place I know of an OpenSSH hole. > > Oh now I sense some angst. Please ask Kirk McKusick, he knows the > story about why this is not being disclosed to FreeBSD. Sometimes I > feel a bit sorry for them (and for him), but then the next minute I > don't feel sorry because there's damn good reasons they won't be > told about what I found. > > Does that answer help? Hope so." > > Any guidance here? So, just to sum it up and get it right for me: De Raadt might have found a security hole in OpenSSH for FreeBSD and derivates, but he doesn't give any details on that. He himself does not explain his behaviour, but advises to ask McKusick about it. Nobody has asked McKusick for details (though it would be really strange if he is able to look into someone elses head), but there are some people thinking that it might be a reaction on a communication problem dated back to 2005, were a security hole was found in FreeBSD, but other *BSDs weren't informed immediately about details. Have I missed something or is this the essence? Regards, kaltheat