Re: pkg/47518: security/libssh MUST be replaced by the real wip/libssh

To: gnats-bugs%NetBSD.org@localhost, security-announce%NetBSD.org@localhost, pkgsrc-users%NetBSD.org@localhost, netbsd-announce%netbsd.org@localhost, tech-pkg%netbsd.org@localhost
Subject: Re: pkg/47518: security/libssh MUST be replaced by the real wip/libssh
From: Noud de Brouwer <noud4%home.nl@localhost>
Date: Thu, 31 Jan 2013 16:16:36 +0000

(top post)

vulnerabilities in NetBSD are no longer taken serious.

example, take:
CVE-2012-4559, CVE-2012-4560, CVE-2012-4561 and CVE-2012-4562
we can not say _anything_ if we have this vulnerability,
given we have an impostor libssh and not _the_real_thing_
that we do distribute to you all.

i am total ashame our platform.

On Thu, 2013-01-31 at 15:20 +0000, gnats-admin%netbsd.org@localhost wrote:
> Thank you very much for your problem report.
> It has the internal identification `pkg/47518'.
> The individual assigned to look at your
> report is: pkg-manager. 
> 
> >Category:       pkg
> >Responsible:    pkg-manager
> >Synopsis:       security/libssh MUST be replaced by the real wip/libssh
> >Arrival-Date:   Thu Jan 31 15:20:00 +0000 2013

http://mail-index.netbsd.org/pkgsrc-wip-cvs/2013/01/31/msg030641.html

http://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=47518

From www%NetBSD.org@localhost  Thu Jan 31 15:16:38 2013
Return-Path: <www%NetBSD.org@localhost>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
        by www.NetBSD.org (Postfix) with ESMTP id E3C1363C07C
        for <gnats-bugs%gnats.NetBSD.org@localhost>; Thu, 31 Jan 2013 15:16:37 
+0000 (UTC)
Message-Id: <20130131151637.3F98C63C07C%www.NetBSD.org@localhost>
Date: Thu, 31 Jan 2013 15:16:37 +0000 (UTC)
From: noud4%home.nl@localhost
Reply-To: noud4%home.nl@localhost
To: gnats-bugs%NetBSD.org@localhost
Subject: security/libssh MUST be replaced by the real wip/libssh
X-Send-Pr-Version: www-1.0


>Number:         47518
>Category:       pkg
>Synopsis:       security/libssh MUST be replaced by the real wip/libssh
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Thu Jan 31 15:20:00 +0000 2013
>Last-Modified:  Thu Jan 31 15:40:04 +0000 2013
>Originator:     Noud de Brouwer
>Release:        does imply all releases that can build security/libssh
>Organization:
-none-
>Environment:
NetBSD 10.0.2.17 6.99.16 NetBSD 6.99.16 (MONOLITHIC.UGEN) #7: Wed Jan 16 
02:06:10 UTC 2013  
mickey55@10.0.2.17:/obj-src/sys/arch/i386/compile/MONOLITHIC.UGEN i386
>Description:
security/libssh in an imposter and wip/libssh is the real thing.


security/libssh/Makefile:
DISTNAME=       libssh-0.11
PKGREVISION=    3
CATEGORIES=     security
MASTER_SITES=   http://www.0xbadc0de.be/libssh/


wip/libssh/Makefile:
DISTNAME=               libssh-0.5.3
CATEGORIES=             security
MASTER_SITES=           http://www.libssh.org/files/0.5/


now what are the implications!!, we do _not_ know in the current situation if 
we are exploitable through:
CVE-2012-4559, CVE-2012-4560, CVE-2012-4561 and CVE-2012-4562.


furthermore: this _total_ unknown security/libssh is used in
wip/gtk-grdc that can be removed given we now have net/remmina.


furthermore: we now have security/hydra,
if we want to keep this it should be in malware/hydra.


i high advise to retrieve ASau his account, even want his
sponsor to be monitored now (given i do not constant want to
check for booby-traps, backdoors and the like given time.)
>How-To-Repeat:
yeah (use your eyes and knowledge).
>Fix:
remove existing security/libssh and pull-up wip/libssh,
preferably immediate.


>Audit-Trail:
From: Thomas Klausner <wiz%NetBSD.org@localhost>
To: NetBSD bugtracking <gnats-bugs%NetBSD.org@localhost>
Cc: 
Subject: Re: pkg/47518: security/libssh MUST be replaced by the real
 wip/libssh
Date: Thu, 31 Jan 2013 16:29:52 +0100


 On Thu, Jan 31, 2013 at 03:20:01PM +0000, noud4%home.nl@localhost wrote:
 > security/libssh in an imposter and wip/libssh is the real thing.

 
 I think it's just a really old version.
 http://www.0xbadc0de.be/libssh/
 has a file listing that says:
 [ ] libssh-0.11.tgz    09-Jan-2008 19:50       297K
 [ ] libssh_now_at_www.libssh.org    26-Apr-2010 23:33  0

 
 > furthermore: we now have security/hydra,
 > if we want to keep this it should be in malware/hydra.

 
 Why?

 
 Btw, there's a newer version of hydra out.
 http://freeworld.thc.org/thc-hydra/

 
 > i high advise to retrieve ASau his account, even want his
 > sponsor to be monitored now

 
 What does he have to do with anything? Just because he was the last to
 commit to hydra (destdir related)?

 
 This mail is much too blatant for my taste.
  Thomas

 
From: Noud de Brouwer <noud4%home.nl@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: 
Subject: Re: pkg/47518: security/libssh MUST be replaced by the real
 wip/libssh
Date: Thu, 31 Jan 2013 15:42:44 +0000


 On Thu, 2013-01-31 at 15:30 +0000, Thomas Klausner wrote:
 >  This mail is much too blatant for my taste.

 
 err, no Thomas, you are in full mistake on this one,
 security/libssh is total blatant, not my PR and successive e-mails.
 >   Thomas
 -- noud

Follow-Ups:
- Re: pkg/47518: security/libssh MUST be replaced by the real wip/libssh
  - From: Aleksej Saushev

Prev by Date: daily pkgsrc CVS update output
Next by Date: Re: pkg/47518: security/libssh MUST be replaced by the real wip/libssh
Previous by Thread: daily pkgsrc CVS update output
Next by Thread: Re: pkg/47518: security/libssh MUST be replaced by the real wip/libssh
Indexes:

Home | Main Index | Thread Index | Old Index