From owner-freebsd-security@freebsd.org Fri Feb 14 18:18:59 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 29C0E23CE8A; Fri, 14 Feb 2020 18:18:59 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-il1-f174.google.com (mail-il1-f174.google.com [209.85.166.174]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48K1q621Zcz3ymp; Fri, 14 Feb 2020 18:18:58 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-il1-f174.google.com with SMTP id p8so8815788iln.12; Fri, 14 Feb 2020 10:18:57 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=caftv8YZq4KJlQP1WZpg7zNvGJkcK2860SPvC+GX8sQ=; b=LIbW5VgRvxEcHy5Hd9MtX1ta1dPxOYYDgYOfVRzCmm2omm9Opa42V7IgOjRcYFduGP hpWhi0Mrn+VaNbEx0lSzpmRUp6fipc4vb5Jix2OytCRxOEjewLyufHwXxG3Fmi0pfBlz /3M/OMBx0wXpt8ZqcMxSVQeO5tkVG2hbq1OFa7yHWX/WQQFsxbQA0sFhxtZo57W/cANt LMdwUdmrWjXyJBpARW6kUBpeZ5f4dvhtwDP23wbZjqTUl2pfmdbUsJQ2uc1g9zBaS0Yy Yi/SS3E2TniT/ms5ldna+gUZP+s+Ikuust1XbtYemxw/hiRDAxLvI23eaXrAl96LKf70 L6zQ== X-Gm-Message-State: APjAAAV1FeWzm/4srBOIupE3bkAuJghvdZUgAY8JoitTOkdEA5VGAkqk p+nC74oxcaH4GFirzVzPjqRKdEs0bJcz1RZoWE9fLUbV X-Google-Smtp-Source: APXvYqw1IfaM4tJerrxbLN1bl/GfCINu99lgHFg52e6lAkoTLV/xZetp0hHlccjVNdOK3EIYBdZnEryPWECrCaVgViU= X-Received: by 2002:a92:4448:: with SMTP id a8mr4231526ilm.256.1581704336500; Fri, 14 Feb 2020 10:18:56 -0800 (PST) MIME-Version: 1.0 From: Ed Maste Date: Fri, 14 Feb 2020 13:18:44 -0500 Message-ID: Subject: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd To: FreeBSD Current , freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 48K1q621Zcz3ymp X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.174 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com X-Spamd-Result: default: False [-4.43 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE(-2.43)[ip: (-7.42), ipnet: 209.85.128.0/17(-3.00), asn: 15169(-1.68), country: US(-0.05)]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[174.166.85.209.list.dnswl.org : 127.0.5.0]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; RWL_MAILSPIKE_POSSIBLE(0.00)[174.166.85.209.rep.mailspike.net : 127.0.0.17]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Feb 2020 18:18:59 -0000 Upstream OpenSSH-portable removed libwrap support in version 6.7, released in October 2014. We've maintained a patch in our tree to restore it, but it causes friction on each OpenSSH update and may introduce security vulnerabilities not present upstream. It's (past) time to remove it. Although the specific deprecation steps aren't yet fleshed out I'm sending this as an early notice that I plan to disable libwrap support from the base system sshd and that FreeBSD 13 will not support it. We'll probably keep the patch in the tree for some time, to support MFCs to stable branches; the patch will be removed entirely later on.