Date: Mon, 6 Oct 2003 09:10:01 -0500 From: "Jacques A. Vidrine" <nectar@FreeBSD.org> To: D J Hawkey Jr <hawkeyd@visi.com> Cc: security at FreeBSD <freebsd-security@FreeBSD.org> Subject: Re: 4.6-R (Was: Re: FreeBSD Security Advisory FreeBSD-SA-03:18.openssl) Message-ID: <20031006141001.GB46753@madman.celabo.org> In-Reply-To: <20031006135332.GA3551@sheol.localdomain> References: <200310032249.h93MnXS8047857@freefall.freebsd.org> <20031005142519.GA76750@sheol.localdomain> <20031005163252.GC399@cowbert.2y.net> <20031005171245.GA82807@sheol.localdomain> <20031006120442.GA77299@madman.celabo.org> <20031006135332.GA3551@sheol.localdomain>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 06, 2003 at 08:53:32AM -0500, D J Hawkey Jr wrote: > Your point is well taken, and should be heeded, but I'm not sure about > the "gurus" bit. I'm no guru, but I've been patching some EOL'd releases > for a while now with little confusion. I was trying to politely say, ``only by people who know what they are doing''. > Having said that, I've been looking over the SA-03:15 patchfile for > RELENG_4_6 to see if I must patch a RELENG_4_5 box. My observations: > > 1) In auth1.c, code is added to remember the last packet before getting > the next, in order to free resources if the next isn't what's expected. > The base OpenSSH in RELENG_4_5 doesn't allocate any such resources; > that patch isn't appropriate. > 2) In auth2-pam-freebsd.c, there is a sanity check to see that an alloc'd > structure is properly initialized. Due to code style/structure, > RELENG_4_5's auth_pam.c doesn't seem to require this, as the structure > elements are explicitly set in the case clauses. > 3) The default configuration is changed: RhostsRSAAuthentication -> no, > StrictHostKeyChecking -> ask, Cipher -> 3des, and Ciphers -> ... . > > The first two explain why the SA omits RELENG_4_5. Not completely. RELENG_4_5 is omitted also because it is no longer supported by the security-officer team and we ran out of resources at RELENG_4_6 (which is also no longer supported). You will note that RELENG_4_5 also did not receive fixes for the previous two OpenSSH security advisories. > However, my corresponding question is: > > 3) Why the changes? Should RELENG_4_5's configuration also be changed? > > This is really the only question I have, as the code doesn't appear to > need any attention. Check the commit logs on RELENG_4 from that period. The differences are due to normal development between the time 4.5-RELEASE and 4.6-RELEASE. > And an unrelated question: > > - What's the BSD_AUTH define for? There doesn't seem to be anything > in RELENG_4_5 that activates the #ifdef'd code, and it looks as > though it's removed in RELENG_4_6. bsdauth is an authentication mechanism preferred by OpenBSD (where they have no PAM, IIRC). Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031006141001.GB46753>