Date: Mon, 18 May 2015 19:34:03 +0200 From: Dan Lukes <dan@obluda.cz> To: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? Message-ID: <555A228B.8080807@obluda.cz> In-Reply-To: <1431957148.2823348.271640449.22FB98B2@webmail.messagingengine.com> References: <CACRVPYOALi-V8D34zeJTYdSwHshYrqtttqVV3=aP8Yb6ZAxfyg@mail.gmail.com> <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <F2460C80-969A-46DF-A44F-6C3D381ABDC3@patpro.net> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> <55590817.1030507@obluda.cz> <1431900010.1965646.271069369.67E0F082@webmail.messagingengine.com> <55591EE8.9070101@obluda.cz> <1431957148.2823348.271640449.22FB98B2@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 05/18/15 15:52, Mark Felder: > I mean, should we have an SA because our libc supports strcpy and people > can use that and create severe vulnerabilities? No, but we should have SA whenever other system component is using strcpy() the way that may affect system security. System utility 'fetch' is willing negotiate known-to-be-insecure protocol with no warning and by default. Sensitive user's data may be transferred by base system utility via insecure protocol. I consider it bug in fetch code. A system utility must not allow silent transfer of data via known insecure protocol if secure transfer has been requested. I see no reason to keep the issue in the dark, even in the case the issue will not be patched on 8-R & 9-R. OK, I'm former bank IT security officer, so I my expectations related to handling of security issues may be set so high. It seems there is nothing more to say about this (slightly off-)topic. I wish the vulnerability should be disclosed to public, you wish it is not necessary because it's known bug in a protocol design and users doesn't expect secure channel from 'fetch'. Two men, two opinions. It's not necessary to reach consent. Thank you for all comments and responses. Dan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?555A228B.8080807>