port-macppc: Re: OF2.0 and/etc/mk.conf and ACCEPTABLE

Subject: Re: OF2.0 and/etc/mk.conf and ACCEPTABLE_LICENSES
To: gabriel rosenkoetter <gr@eclipsed.net>
From: David Brownlee <abs@mono.org>
List: port-macppc
Date: 12/17/1999 11:48:39
	Replying to Gabriel and David in one message here :)

On Thu, 16 Dec 1999, gabriel rosenkoetter wrote:

> > 	Those using USE_RSAREF2=NO in their /etc/mk.conf would never
> > 	have had a vulnerable ssh. Those who were using rsaref just need
> > 	to update to the latest source.
> 
> Last time I checked, the ssh.com folks hadn't fixed their RSAREF2
> library.

	I think this is the misunderstanding :)

	Pkgsrc also includes specific security and bugfix patches.
	In this case the NetBSD rsaref package was updated twice;
	once as soon as a first RSAREF2 patch was posted to bugtraq,
	and a second time when the updated fix was posted. In each
	case the patch was not from ssh or rsa, and ssh package
	was updated to specifically require the fixed rsaref package.
	See:
		http://www.netbsd.org/Changes/#rsaref2

	There are a significant number of packages which contain patches
	that have not been incorporated by the original authors. Some are
	security related, so in that sense you are sometimes _better_ in
	security terms when you use pkgsrc :)

> As I understand it, OpenSSH does use OpenSSL, which does use RSAREF2.
> The RSAREF2 that's part of OpenSSL, however, is one audited by the
> OpenBSD folks (for inclusion in OpenBSD), which means that it does not
> contain the buffer overflows that are in the version against which
> ssh-1.2.2* is linked.

	The NetBSD rsaref package has been similarly patched, so
	any package that depends on it is also safe.

On Thu, 16 Dec 1999, David A. Gatwood wrote:

> No, you're not a freak.  Ssh and other security tools are the kind of
> thing where I wouldn't feel comfortable getting it from a package, whether
> pre-compiled or in a source package.  It's too important to risk it. 
> 
> SSH is one of a few things that you really should compile from the
> original source.  If you're particularly careful, you should even verify
> the tarball's pgp signature.  :-)

	In the case of someone (legally) using ssh in America, they
	_must_ use RSAREF (for now), which means they must either have
	their own patches, or use the pkgsrc version.

	Pkgsrc uses the original source tarball from the official
	site, and checks its md5 signature before extracting, then
	applies any local patches, so if you can check the oringinal
	pgp signature, and still gain the benefit of the automated
	install and already fixed rsaref library.

	btw - if you are cautious enough to verify the source for ssh,
	then you should also do the same for any tool you ever run as
	root :)

		David/absolute