Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 25 May 2014 10:58:09 +0200
From:      kaltheat@googlemail.com
To:        Todor Todorov <todorov@paladin.bulgarpress.com>
Cc:        freebsd-security@freebsd.org
Subject:   Re: De Raadt + FBSD + OpenSSH + hole?
Message-ID:  <20140525085809.GA1531@sol>
In-Reply-To: <534B11F0.9040400@paladin.bulgarpress.com>
References:  <534B11F0.9040400@paladin.bulgarpress.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Apr 14, 2014 at 01:38:40AM +0300, Todor Todorov wrote:
> Hi everyone,
> I came across this :
> 
> https://groups.google.com/forum/#!topic/mailing.openbsd.tech/xALfxxR3oKo
> 
> " You are welcome.  Stuart Henderson wrote the draft, but he forgot that 
> part, and Damien Miller and I realized it was needed.  We sensed there 
> might be some ambiguity...  we'll take care the next time an 
> OpenOffice problem also. 
> 
> ... as long as you aren't using FreeBSD or a derivative (hint: Jupiper), 
> you are fine.  That's the only place I know of an OpenSSH hole. 
> 
> Oh now I sense some angst.  Please ask Kirk McKusick, he knows the 
> story about why this is not being disclosed to FreeBSD.  Sometimes I 
> feel a bit sorry for them (and for him), but then the next minute I 
> don't feel sorry because there's damn good reasons they won't be 
> told about what I found. 
> 
> Does that answer help?  Hope so."
> 
> Any guidance here?

So, just to sum it up and get it right for me:
De Raadt might have found a security hole in OpenSSH for FreeBSD and derivates,
but he doesn't give any details on that. He himself does not explain his
behaviour, but advises to ask McKusick about it. Nobody has asked McKusick for
details (though it would be really strange if he is able to look into someone
elses head), but there are some people thinking that it might be a reaction
on a communication problem dated back to 2005, were a security hole was found
in FreeBSD, but other *BSDs weren't informed immediately about details.

Have I missed something or is this the essence?

Regards,
kaltheat

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140525085809.GA1531>