From owner-freebsd-security@FreeBSD.ORG Thu Dec 16 08:26:57 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 84488106564A for ; Thu, 16 Dec 2010 08:26:57 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from xps.daemonology.net (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx2.freebsd.org (Postfix) with SMTP id 2A73214E1BA for ; Thu, 16 Dec 2010 08:26:57 +0000 (UTC) Received: (qmail 34675 invoked from network); 16 Dec 2010 08:26:56 -0000 Received: from unknown (HELO xps.daemonology.net) (127.0.0.1) by localhost with SMTP; 16 Dec 2010 08:26:56 -0000 Message-ID: <4D09CD50.1030605@freebsd.org> Date: Thu, 16 Dec 2010 00:26:56 -0800 From: FreeBSD Security Officer Organization: FreeBSD Project User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.11) Gecko/20100803 Thunderbird/3.0.6 MIME-Version: 1.0 To: freebsd security X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Claims of FBI backdoors in OpenBSD cryptographic code X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: security-officer@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Dec 2010 08:26:57 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, We are aware of the email forwarded by Theo de Raadt to the openbsd-tech mailing list concerning alleged backdoor(s) in OpenBSD's IPSec stack and/or other cryptographic code. The FreeBSD operating system contains code derived from OpenBSD, including the crypto(4) driver, the IPSec stack, OpenSSH, and the pf firewall. As we do with all such derived code, we keep an eye on the upstream projects so that we can respond promptly to any vulnerabilities which are found. It is worth noting, however, that vulnerabilities are found in upstream codebases on a regular basis, and even if some are found in the alleged areas it does not necessarily imply that they were deliberately inserted. One of the great advantages of open source software is that it is possible for many people to audit it; the "many eyes" theory, however, depends on having many people who actually _do_ look at the code, not merely having many people who _can_ look at the code, and to that end we always encourage more independent auditing of code in FreeBSD. In the case of code which came to FreeBSD via other projects, this is no less important: For a variety of reasons, the code in FreeBSD is almost never identical to the code in upstream projects, and in bringing code to FreeBSD it is entirely possible for bugs to be added or removed. As always, anyone who believes that they have found a vulnerability affecting FreeBSD is requested to contact secteam@freebsd.org. - -- Colin Percival Security Officer, FreeBSD | freebsd.org | The power to serve Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iEYEARECAAYFAk0JzVAACgkQFdaIBMps37JnkgCfeK8w1BFQwbDeYNRcZUYuAVuJ uJAAnA7F/utOgkkHWI9mB2fh7oB/6ZPd =EUq1 -----END PGP SIGNATURE-----