De Raadt + FBSD + OpenSSH + hole?
Jamie Landeg-Jones
jamie at dyslexicfish.net
Sun Apr 20 05:48:51 UTC 2014
Bryan Drewery <bdrewery at FreeBSD.org> wrote:
> On 4/14/2014 7:32 AM, Jamie Landeg-Jones wrote:
> >
> > As to the specific question, I don't think his ego would allow a bug
> > in openssh to persist, so even if it does, I'd suspect it's not too
> > serious (or it's non-trivial to exploit), and it's related to FreeBSD
> > produced 'glue'.
> >
> > This is total guesswork on my part, but I'd therefore assume he was
> > talkining about openssh in base, rarther than openssh-portable in
> > ports.
> >
>
> As the maintainer of the port I will say that your security decreases
> with each OPTION/patch you apply. I really would not be surprised if one
> of the optional patches available in the port had issues.
Ahhhh. good point. I forgot about third-party patches.
Yeah, if he's not just blowing smoke, that would make the most sense.
I don't reckon he'd leave an exploit open if it was purely related to
the unpatched source - even if there is some quirk which only makes
it only applicable to FreeBSD.
Still, by not revealing it, he's only potentially hurting the users.
I wonder how many blackhats are going to use this thread as a heads-up?
Cheers, Jamie
More information about the freebsd-security
mailing list