tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: pkg/47518: security/libssh MUST be replaced by the real wip/libssh



Noud de Brouwer <noud4%home.nl@localhost> writes:

> vulnerabilities in NetBSD are no longer taken serious.
>
> example, take:
> CVE-2012-4559, CVE-2012-4560, CVE-2012-4561 and CVE-2012-4562
> we can not say _anything_ if we have this vulnerability,
> given we have an impostor libssh and not _the_real_thing_
> that we do distribute to you all.
>
> i am total ashame our platform.

You'd rather be ashamed of yourself. There's little to be said about
the way you deal with this minor problem (only a handful of packages
affected which tells about the impact).

> Date: Thu, 31 Jan 2013 15:16:37 +0000 (UTC)
>
>>Number:         47518
>>Category:       pkg
>>Synopsis:       security/libssh MUST be replaced by the real wip/libssh
>>Confidential:   no
>>Severity:       critical
>>Priority:       high
>>Responsible:    pkg-manager
>>State:          open
>>Class:          change-request
>>Submitter-Id:   net
>>Arrival-Date:   Thu Jan 31 15:20:00 +0000 2013
>>Last-Modified:  Thu Jan 31 15:40:04 +0000 2013

Thus, you have posted it all within minutes leaving no time for any reaction.

> security/libssh in an imposter and wip/libssh is the real thing.
>
>
> security/libssh/Makefile:
> DISTNAME=       libssh-0.11
> PKGREVISION=    3
> CATEGORIES=     security
> MASTER_SITES=   http://www.0xbadc0de.be/libssh/
>
>
> wip/libssh/Makefile:
> DISTNAME=               libssh-0.5.3
> CATEGORIES=             security
> MASTER_SITES=           http://www.libssh.org/files/0.5/

One IRC user has pointed you that source files for libssh-0.11
(the one pkgsrc refers to) and libssh-0.1 (the one libssh.org distributes)
are identical. Thus, 0xbadc0de.be is not an impostor.

Thus, you're lying in public.

> i high advise to retrieve ASau his account, even want his
> sponsor to be monitored now (given i do not constant want to
> check for booby-traps, backdoors and the like given time.)

Why not close the project as well? Perhaps, there're more developers
who created bugs with security impact (sometimes more severe than ones
in almost unused package I have almost no relation to).


-- 
HE CE3OH...



Home | Main Index | Thread Index | Old Index