md2 on current and 10.
Mikhail T
mi+apache at aldan.algebra.com
Wed Dec 25 18:52:49 UTC 2013
On 20.12.2013 13:38, olli hauer wrote:
> md2 was deprecated in 2009 by the openssl project
>
> http://cvs.openssl.org/chngview?cn=18381
> CVE-2009-2409
>
> As fas as I know some Linux based projects have removed md2 from openssl-0.9.x in 2009.
So, when are we removing sum(1) and cksum(1) -- implementation of the
even weaker hashing?
Should we do with rsh(1), what Linux have done:
% rsh -v
OpenSSH_5.9p1 Debian-5ubuntu1.1, OpenSSL 1.0.1 14 Mar 2012
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c
cipher_spec]
[-D [bind_address:]port] [-e escape_char] [-F configfile]
[-I pkcs11] [-i identity_file]
[-L [bind_address:]port:host:hostport]
[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option]
[-p port]
[-R [bind_address:]port:host:hostport] [-S ctl_path]
[-W host:port] [-w local_tun[:remote_tun]]
[user@]hostname [command]
How about rexec/rcmd(3), gets(3), and tmpfile(3)? OpenSSL may have
deprecated md2 (though it remains an option even there, just off by
default), but FreeBSD did not have to -- our libmd could've continued to
offer the functionality, just as libz, for yet another example,
continues to offer its own checksum implementation.
If, for some reason, we feel we must warn the user, we could do that
when installing ports -- as we already warn about the network-listening
and other potentially dangerous functions.
Could we, please, have MD2 resurrected before 10.0 is officially out?
Preferably in both -lmd and -lcrypto, but certainly in the former. Thank
you! Yours,
-mi
More information about the freebsd-current
mailing list