From owner-freebsd-current@FreeBSD.ORG Wed Dec 25 18:52:49 2013 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 33673541 for ; Wed, 25 Dec 2013 18:52:49 +0000 (UTC) Received: from smtp.rcn.com (smtp.rcn.com [69.168.97.78]) by mx1.freebsd.org (Postfix) with ESMTP id D56491A89 for ; Wed, 25 Dec 2013 18:52:48 +0000 (UTC) X_CMAE_Category: 0,0 Undefined,Undefined X-CNFS-Analysis: v=2.1 cv=CsKGLBID c=1 sm=0 tr=0 a=xXl4FTO5CL8aVpVBagTHLA==:117 a=eXnlHukMzTYA:10 a=b15YM1rgWm8A:10 a=YNqtyO0l_hcA:10 a=LaogzpLLAAAA:8 a=7oF49_t5QHsA:10 a=r77TgQKjGQsHNAKrUKIA:9 a=9iDbn-4jx3cA:10 a=cKsnjEOsciEA:10 a=Ntg_Zx-WAAAA:8 a=F8Y_lyQ15MurY6KbE-UA:9 a=LLg1xmBQL-CXTgpH:21 a=DFQT5An_E7NiJNMR:21 a=wPNLvfGTeEIA:10 a=twLL-sifpKipC_RdFNMA:9 a=1F-QzIbOHpA-Onmb:21 a=4JMkiYIUtc2YZtrA:21 a=LDeB2eWrU58jKBGb:21 a=_W_S_7VecoQA:10 a=_RhRFcbxBZMA:10 X-CM-Score: 0 X-Scanned-by: Cloudmark Authority Engine Authentication-Results: smtp02.rcn.cmh.synacor.com smtp.mail=mi+apache@aldan.algebra.com; spf=neutral; sender-id=neutral Authentication-Results: smtp02.rcn.cmh.synacor.com header.from=mi+apache@aldan.algebra.com; sender-id=neutral Authentication-Results: smtp02.rcn.cmh.synacor.com smtp.user=anat; auth=pass (PLAIN) Received-SPF: neutral (smtp02.rcn.cmh.synacor.com: 74.102.116.237 is neither permitted nor denied by domain of aldan.algebra.com) Received: from [74.102.116.237] ([74.102.116.237:35191] helo=[192.168.1.8]) by smtp.rcn.com (envelope-from ) (ecelerity 2.2.3.49 r(42060/42061)) with ESMTPA id B8/27-01585-9792BB25; Wed, 25 Dec 2013 13:52:41 -0500 Message-ID: <52BB2979.5040008@aldan.algebra.com> Date: Wed, 25 Dec 2013 13:52:41 -0500 From: Mikhail T User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 MIME-Version: 1.0 To: olli hauer , Current FreeBSD Subject: Re: md2 on current and 10. References: <52B392D9.4030507@aldan.algebra.com> <52B483D7.7080302@gmx.de> <52B486AD.7080102@aldan.algebra.com> <52B48E8C.5070804@gmx.de> In-Reply-To: <52B48E8C.5070804@gmx.de> X-Mailman-Approved-At: Wed, 25 Dec 2013 23:40:38 +0000 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Dec 2013 18:52:49 -0000 On 20.12.2013 13:38, olli hauer wrote: > md2 was deprecated in 2009 by the openssl project > > http://cvs.openssl.org/chngview?cn=18381 > CVE-2009-2409 > > As fas as I know some Linux based projects have removed md2 from openssl-0.9.x in 2009. So, when are we removing sum(1) and cksum(1) -- implementation of the even weaker hashing? Should we do with rsh(1), what Linux have done: % rsh -v OpenSSH_5.9p1 Debian-5ubuntu1.1, OpenSSL 1.0.1 14 Mar 2012 usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] [user@]hostname [command] How about rexec/rcmd(3), gets(3), and tmpfile(3)? OpenSSL may have deprecated md2 (though it remains an option even there, just off by default), but FreeBSD did not have to -- our libmd could've continued to offer the functionality, just as libz, for yet another example, continues to offer its own checksum implementation. If, for some reason, we feel we must warn the user, we could do that when installing ports -- as we already warn about the network-listening and other potentially dangerous functions. Could we, please, have MD2 resurrected before 10.0 is officially out? Preferably in both -lmd and -lcrypto, but certainly in the former. Thank you! Yours, -mi