pkgsrc-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: pkg/47518: security/libssh MUST be replaced by the real wip/libssh



The following reply was made to PR pkg/47518; it has been noted by GNATS.

From: Noud de Brouwer <noud4%home.nl@localhost>
To: gnats-bugs%NetBSD.org@localhost, security-announce%NetBSD.org@localhost, 
 pkgsrc-users%NetBSD.org@localhost, netbsd-announce%netbsd.org@localhost, 
tech-pkg%netbsd.org@localhost
Cc: root%netbsd.org@localhost
Subject: Re: pkg/47518: security/libssh MUST be replaced by the real
 wip/libssh
Date: Thu, 31 Jan 2013 16:16:36 +0000

 (top post)
 
 vulnerabilities in NetBSD are no longer taken serious.
 
 example, take:
 CVE-2012-4559, CVE-2012-4560, CVE-2012-4561 and CVE-2012-4562
 we can not say _anything_ if we have this vulnerability,
 given we have an impostor libssh and not _the_real_thing_
 that we do distribute to you all.
 
 i am total ashame our platform.
 
 On Thu, 2013-01-31 at 15:20 +0000, gnats-admin%netbsd.org@localhost wrote:
 > Thank you very much for your problem report.
 > It has the internal identification `pkg/47518'.
 > The individual assigned to look at your
 > report is: pkg-manager. 
 > 
 > >Category:       pkg
 > >Responsible:    pkg-manager
 > >Synopsis:       security/libssh MUST be replaced by the real wip/libssh
 > >Arrival-Date:   Thu Jan 31 15:20:00 +0000 2013
 
 http://mail-index.netbsd.org/pkgsrc-wip-cvs/2013/01/31/msg030641.html
 
 http://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=47518
 
 From www%NetBSD.org@localhost  Thu Jan 31 15:16:38 2013
 Return-Path: <www%NetBSD.org@localhost>
 Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
        by www.NetBSD.org (Postfix) with ESMTP id E3C1363C07C
        for <gnats-bugs%gnats.NetBSD.org@localhost>; Thu, 31 Jan 2013 15:16:37 
+0000 (UTC)
 Message-Id: <20130131151637.3F98C63C07C%www.NetBSD.org@localhost>
 Date: Thu, 31 Jan 2013 15:16:37 +0000 (UTC)
 From: noud4%home.nl@localhost
 Reply-To: noud4%home.nl@localhost
 To: gnats-bugs%NetBSD.org@localhost
 Subject: security/libssh MUST be replaced by the real wip/libssh
 X-Send-Pr-Version: www-1.0
 
 
 >Number:         47518
 >Category:       pkg
 >Synopsis:       security/libssh MUST be replaced by the real wip/libssh
 >Confidential:   no
 >Severity:       critical
 >Priority:       high
 >Responsible:    pkg-manager
 >State:          open
 >Class:          change-request
 >Submitter-Id:   net
 >Arrival-Date:   Thu Jan 31 15:20:00 +0000 2013
 >Last-Modified:  Thu Jan 31 15:40:04 +0000 2013
 >Originator:     Noud de Brouwer
 >Release:        does imply all releases that can build security/libssh
 >Organization:
 -none-
 >Environment:
 NetBSD 10.0.2.17 6.99.16 NetBSD 6.99.16 (MONOLITHIC.UGEN) #7: Wed Jan 16 
02:06:10 UTC 2013  
mickey55@10.0.2.17:/obj-src/sys/arch/i386/compile/MONOLITHIC.UGEN i386
 >Description:
 security/libssh in an imposter and wip/libssh is the real thing.
 
 
 security/libssh/Makefile:
 DISTNAME=       libssh-0.11
 PKGREVISION=    3
 CATEGORIES=     security
 MASTER_SITES=   http://www.0xbadc0de.be/libssh/
 
 
 wip/libssh/Makefile:
 DISTNAME=               libssh-0.5.3
 CATEGORIES=             security
 MASTER_SITES=           http://www.libssh.org/files/0.5/
 
 
 now what are the implications!!, we do _not_ know in the current situation if 
we are exploitable through:
 CVE-2012-4559, CVE-2012-4560, CVE-2012-4561 and CVE-2012-4562.
 
 
 furthermore: this _total_ unknown security/libssh is used in
 wip/gtk-grdc that can be removed given we now have net/remmina.
 
 
 furthermore: we now have security/hydra,
 if we want to keep this it should be in malware/hydra.
 
 
 i high advise to retrieve ASau his account, even want his
 sponsor to be monitored now (given i do not constant want to
 check for booby-traps, backdoors and the like given time.)
 >How-To-Repeat:
 yeah (use your eyes and knowledge).
 >Fix:
 remove existing security/libssh and pull-up wip/libssh,
 preferably immediate.
 
 
 >Audit-Trail:
 From: Thomas Klausner <wiz%NetBSD.org@localhost>
 To: NetBSD bugtracking <gnats-bugs%NetBSD.org@localhost>
 Cc: 
 Subject: Re: pkg/47518: security/libssh MUST be replaced by the real
  wip/libssh
 Date: Thu, 31 Jan 2013 16:29:52 +0100
 
 
  On Thu, Jan 31, 2013 at 03:20:01PM +0000, noud4%home.nl@localhost wrote:
  > security/libssh in an imposter and wip/libssh is the real thing.
 
  
  I think it's just a really old version.
  http://www.0xbadc0de.be/libssh/
  has a file listing that says:
  [ ] libssh-0.11.tgz   09-Jan-2008 19:50       297K
  [ ] libssh_now_at_www.libssh.org    26-Apr-2010 23:33 0
 
  
  > furthermore: we now have security/hydra,
  > if we want to keep this it should be in malware/hydra.
 
  
  Why?
 
  
  Btw, there's a newer version of hydra out.
  http://freeworld.thc.org/thc-hydra/
 
  
  > i high advise to retrieve ASau his account, even want his
  > sponsor to be monitored now
 
  
  What does he have to do with anything? Just because he was the last to
  commit to hydra (destdir related)?
 
  
  This mail is much too blatant for my taste.
   Thomas
 
  
 From: Noud de Brouwer <noud4%home.nl@localhost>
 To: gnats-bugs%NetBSD.org@localhost
 Cc: 
 Subject: Re: pkg/47518: security/libssh MUST be replaced by the real
  wip/libssh
 Date: Thu, 31 Jan 2013 15:42:44 +0000
 
 
  On Thu, 2013-01-31 at 15:30 +0000, Thomas Klausner wrote:
  >  This mail is much too blatant for my taste.
 
  
  err, no Thomas, you are in full mistake on this one,
  security/libssh is total blatant, not my PR and successive e-mails.
  >   Thomas
  -- noud
 


Home | Main Index | Thread Index | Old Index