pkgsrc-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: pkg/47518: security/libssh MUST be replaced by the real wip/libssh
The following reply was made to PR pkg/47518; it has been noted by GNATS.
From: Noud de Brouwer <noud4%home.nl@localhost>
To: gnats-bugs%NetBSD.org@localhost, security-announce%NetBSD.org@localhost,
pkgsrc-users%NetBSD.org@localhost, netbsd-announce%netbsd.org@localhost,
tech-pkg%netbsd.org@localhost
Cc: root%netbsd.org@localhost
Subject: Re: pkg/47518: security/libssh MUST be replaced by the real
wip/libssh
Date: Thu, 31 Jan 2013 16:16:36 +0000
(top post)
vulnerabilities in NetBSD are no longer taken serious.
example, take:
CVE-2012-4559, CVE-2012-4560, CVE-2012-4561 and CVE-2012-4562
we can not say _anything_ if we have this vulnerability,
given we have an impostor libssh and not _the_real_thing_
that we do distribute to you all.
i am total ashame our platform.
On Thu, 2013-01-31 at 15:20 +0000, gnats-admin%netbsd.org@localhost wrote:
> Thank you very much for your problem report.
> It has the internal identification `pkg/47518'.
> The individual assigned to look at your
> report is: pkg-manager.
>
> >Category: pkg
> >Responsible: pkg-manager
> >Synopsis: security/libssh MUST be replaced by the real wip/libssh
> >Arrival-Date: Thu Jan 31 15:20:00 +0000 2013
http://mail-index.netbsd.org/pkgsrc-wip-cvs/2013/01/31/msg030641.html
http://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=47518
From www%NetBSD.org@localhost Thu Jan 31 15:16:38 2013
Return-Path: <www%NetBSD.org@localhost>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
by www.NetBSD.org (Postfix) with ESMTP id E3C1363C07C
for <gnats-bugs%gnats.NetBSD.org@localhost>; Thu, 31 Jan 2013 15:16:37
+0000 (UTC)
Message-Id: <20130131151637.3F98C63C07C%www.NetBSD.org@localhost>
Date: Thu, 31 Jan 2013 15:16:37 +0000 (UTC)
From: noud4%home.nl@localhost
Reply-To: noud4%home.nl@localhost
To: gnats-bugs%NetBSD.org@localhost
Subject: security/libssh MUST be replaced by the real wip/libssh
X-Send-Pr-Version: www-1.0
>Number: 47518
>Category: pkg
>Synopsis: security/libssh MUST be replaced by the real wip/libssh
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: pkg-manager
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Thu Jan 31 15:20:00 +0000 2013
>Last-Modified: Thu Jan 31 15:40:04 +0000 2013
>Originator: Noud de Brouwer
>Release: does imply all releases that can build security/libssh
>Organization:
-none-
>Environment:
NetBSD 10.0.2.17 6.99.16 NetBSD 6.99.16 (MONOLITHIC.UGEN) #7: Wed Jan 16
02:06:10 UTC 2013
mickey55@10.0.2.17:/obj-src/sys/arch/i386/compile/MONOLITHIC.UGEN i386
>Description:
security/libssh in an imposter and wip/libssh is the real thing.
security/libssh/Makefile:
DISTNAME= libssh-0.11
PKGREVISION= 3
CATEGORIES= security
MASTER_SITES= http://www.0xbadc0de.be/libssh/
wip/libssh/Makefile:
DISTNAME= libssh-0.5.3
CATEGORIES= security
MASTER_SITES= http://www.libssh.org/files/0.5/
now what are the implications!!, we do _not_ know in the current situation if
we are exploitable through:
CVE-2012-4559, CVE-2012-4560, CVE-2012-4561 and CVE-2012-4562.
furthermore: this _total_ unknown security/libssh is used in
wip/gtk-grdc that can be removed given we now have net/remmina.
furthermore: we now have security/hydra,
if we want to keep this it should be in malware/hydra.
i high advise to retrieve ASau his account, even want his
sponsor to be monitored now (given i do not constant want to
check for booby-traps, backdoors and the like given time.)
>How-To-Repeat:
yeah (use your eyes and knowledge).
>Fix:
remove existing security/libssh and pull-up wip/libssh,
preferably immediate.
>Audit-Trail:
From: Thomas Klausner <wiz%NetBSD.org@localhost>
To: NetBSD bugtracking <gnats-bugs%NetBSD.org@localhost>
Cc:
Subject: Re: pkg/47518: security/libssh MUST be replaced by the real
wip/libssh
Date: Thu, 31 Jan 2013 16:29:52 +0100
On Thu, Jan 31, 2013 at 03:20:01PM +0000, noud4%home.nl@localhost wrote:
> security/libssh in an imposter and wip/libssh is the real thing.
I think it's just a really old version.
http://www.0xbadc0de.be/libssh/
has a file listing that says:
[ ] libssh-0.11.tgz 09-Jan-2008 19:50 297K
[ ] libssh_now_at_www.libssh.org 26-Apr-2010 23:33 0
> furthermore: we now have security/hydra,
> if we want to keep this it should be in malware/hydra.
Why?
Btw, there's a newer version of hydra out.
http://freeworld.thc.org/thc-hydra/
> i high advise to retrieve ASau his account, even want his
> sponsor to be monitored now
What does he have to do with anything? Just because he was the last to
commit to hydra (destdir related)?
This mail is much too blatant for my taste.
Thomas
From: Noud de Brouwer <noud4%home.nl@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc:
Subject: Re: pkg/47518: security/libssh MUST be replaced by the real
wip/libssh
Date: Thu, 31 Jan 2013 15:42:44 +0000
On Thu, 2013-01-31 at 15:30 +0000, Thomas Klausner wrote:
> This mail is much too blatant for my taste.
err, no Thomas, you are in full mistake on this one,
security/libssh is total blatant, not my PR and successive e-mails.
> Thomas
-- noud
Home |
Main Index |
Thread Index |
Old Index