Re: Debian libssl security (OpenSSH safe?)
On Thu, 2008-05-15 at 06:31 -0700, Darrin Chandler wrote: Can you explain why that's not effective? Do you know ssh-vulnkey (or the Perl script) does not reliably detect bad keys? Just to ensure I have facts separated from co-workers just going on paranoid tangents, I checked again and asked those who noted it did not work exactly what happened now that the 'knee jerk' syndrome is over. 2 people might have botched the install (not a reliable indicator) 3 Did not have ordinary configurations (again, not a reliable indicator) 1 Reported weak keys weren't detected. So, I guess I can't be sure. I know that it didn't work for some but that might be due to human error. Things go badly when rushing :) What does seem correct is that the utility can't guess beyond the typical locations and names. Sorry for the ambiguity, --Tim -- Monkey + Typewriter = Echoreply ( http://echoreply.us )
Re: Debian libssl security (OpenSSH safe?)
On Thu, 2008-05-15 at 10:02 +0100, Dave Ewart wrote: Debian (and thus also Ubuntu) have released updated openssh packages which include a new tool called ssh-vulnkey which can be used to check the running system[1] for vulnerable keys: ssh-vulnkey works similarly to the Perl script in the Debian announcement. That is not 100% effective (afiak). Its still advised that you toss any key that you are not 100% certain came from a non-effected system for every user. They can always go back in once your sure that they are safe. I believe the original assessment was correct: *all* systems running SSH ought to check for these vulnerable keys, not just those systems running Debian or derivatives. Correct, It is a user propagated issue. Its best to just chuck all keys for now and put them back as you're sure that they did not come from a buggy keygen. Yes, it's Debian's fault, but we all have to manage the consequences. Shit happens :) -- Monkey + Typewriter = Echoreply ( http://echoreply.us )
Re: Debian libssl security (OpenSSH safe?)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday, 15.05.2008 at 07:11 +0200, Otto Moerbeek wrote: On Wed, May 14, 2008 at 07:43:25PM -0700, Darrin Chandler wrote: On Wed, May 14, 2008 at 10:22:11PM -0400, Ted Unangst wrote: On 5/14/08, Ben Calvert [EMAIL PROTECTED] wrote: On May 14, 2008, at 5:22 PM, Darrin Chandler wrote: Are you sure that's a decent analysis? If you have a non-debian system with the full number of keys available, what are the chances that you've landed on one of the 32767 keys? Not very likely. So that analysis seems alarmist and sensational to me. Because nobody would ever run ssh-keygen on their ubuntu desktop and copy that to authorized_keys on another computer. Sure. Lots of those keys out there already. So is something like ssh-vulnkey the right approach? I do have a couple of users on one of my boxes. Mind, they're all good OpenBSD people and I really hope their keys didn't come from a debian box. It'll be nice to find out that the keys are ok. You can use the perl script in the debian announcement to check host keys and user keys. For info Debian (and thus also Ubuntu) have released updated openssh packages which include a new tool called ssh-vulnkey which can be used to check the running system[1] for vulnerable keys: ssh-vulnkey works similarly to the Perl script in the Debian announcement. The package has also had an additional option added to sshd_config which blacklists (i.e. stops use of) these vulnerable keys. Once updated, Debian and Ubuntu systems will reject connections based on these vulnerable keys. One of my machines at home is an Ubuntu laptop and my OpenBSD box had a copy of its public key in ~/.ssh/authorized_keys so that logging into it is simpler from the laptop - if this box were exposed to the world, then it would only take 32,000 attempts to get into it, if my username is known. I've removed the vulnerable public key from the OpenBSD box now. I believe the original assessment was correct: *all* systems running SSH ought to check for these vulnerable keys, not just those systems running Debian or derivatives. Yes, it's Debian's fault, but we all have to manage the consequences. If only Debian and Ubuntu's openssh is updated, then they will be *more* secure than non-updated OpenBSD, Solaris, Red Hat Linux etc. Cheers, Dave. [1] It checks host keys and also the contents of authorized_keys - -- Dave Ewart iD8DBQFIK/wbbpQs/WlN43ARAnKvAJ4pYbbhW4pCYvp7hqApTCqr43BWmwCg864Q xBTY5bfIl4KLiSsYsDMplS8= =5mhX -END PGP SIGNATURE-
Re: Debian libssl security (OpenSSH safe?)
On 2008-05-15, Ben Calvert [EMAIL PROTECTED] wrote: and it only applies if you're using keys _without_passphrase_. Passphrases protect your on-disk copy of the key. The key can be re-encrypted with a different key, or decrypted and written out, it's still the same key. If you ssh-keygen -p, you don't need to change authorized_keys files on all the hosts where your key is listed. The metasploit generated keys are obviously not encrypted, so there are sets of private keys floating round for each of 1Kb DSA, 2Kb and now 4Kb RSA... do people actually allow remote root access ? for more than 5 minutes after install? Yes, though PermitRootLogin without-password is not uncommon, so that those pesky insecure passwords can't be used, only allowing the nice secure private keys instead. Oh wait... Anyone know if it's possible to require more than one type of authentication, e.g. _both_ password and key-based? I didn't see a way, but may have missed something.
Re: Debian libssl security (OpenSSH safe?)
On Thu, May 15, 2008 at 05:44:32PM +0800, Tim Post wrote: On Thu, 2008-05-15 at 10:02 +0100, Dave Ewart wrote: Debian (and thus also Ubuntu) have released updated openssh packages which include a new tool called ssh-vulnkey which can be used to check the running system[1] for vulnerable keys: ssh-vulnkey works similarly to the Perl script in the Debian announcement. That is not 100% effective (afiak). Its still advised that you toss any key that you are not 100% certain came from a non-effected system for every user. They can always go back in once your sure that they are safe. Can you explain why that's not effective? Do you know ssh-vulnkey (or the Perl script) does not reliably detect bad keys? -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: Debian libssl security (OpenSSH safe?)
On Thu, May 15, 2008 at 12:53:06AM +, Jussi Peltola wrote: On Wed, May 14, 2008 at 05:30:18PM -0700, Ben Calvert wrote: On May 14, 2008, at 5:22 PM, Darrin Chandler wrote: On Thu, May 15, 2008 at 01:45:51AM +0200, raven wrote: do people actually allow remote root access ? for more than 5 minutes after install? Too many people still use SSH public keys for root in automated scripts. Besides, cracking your normal user account can result in just as bad consequences as cracking the root account, especially if you su or sudo to root... Remember that in linux/debian, files don't inheret the ownership of the directory into which they are placed. Therefore, e.g for copying backup files from one box to another with rsync, if a normal user does it (assuming that user has write permission to, e.g. on debian /var/local/backup, then the files end up owned by that user. The user can't change the ownership to root. This may not seem like a huge problem for e.g. tarballs that protect the ownership and permissions of files but for regular files, eg copies from /etc, then its an issue. Also, during restore, if that uid is either not the same user or no user at all, things can get interesting. Better to have root have ssh access to the backup repository box for rsyncing the backups. Root has to do the backups since debian packages don't come set up for operator to be able to read otherwise unreadable files. Doug.
Re: More details show that someone seriously fucked up in debian. [Was: Re: Debian libssl security (OpenSSH safe?)]
On Wed, 14 May 2008, chefren wrote: On 5/13/08 7:08 PM, Marc Espie wrote: More details show that someone seriously fucked up in debian. Well, this Kurt has seriously asked for details on the relevant openssl-dev list: http://marc.info/?l=openssl-devm=114651085826293w=2 And see what arrogant as usual Ben Laurie states: http://www.links.org/?p=327 they should contribute their patches upstream to the package maintainers. Had Debian done this in this case, we (the OpenSSL Team) would have fallen about laughing, and once we had got our breath back, told them what a terrible idea this was. Kurt has clearly done so, No, he hasn't. A question posed to a predominatly users' mailing list is not the same as a proper bug report and patch submission. Vendors, especially the size of Debian, should be held to a high standard of behaviour. Critically, he didn't identify that he was considering removing these lines *for every user of Debian*. and I know personally of another totally ignored patch from our company and I have heard in the past about OpenBSD people trying to send patches to OpenSSL maintainers to no avail. Speaking as someone who has done the last two revs of the OpenBSD libssl, I haven't tried to upstream our changes - they OpenBSD specific things like using /dev/arandom and /dev/crypto. I think that any serious patch we sent would have a good chance of inclusion. The OpenSSL maintainers have proven not to read their mail, they aren't interested in cleaning up their big mess. Laurie also states never fix a bug you dont understand and this OpenSSL hero seems to forget that something that seems smart and OK now and here can be plain bad and ugly when looked at with some more distance or knowledge. No, he is 100% correct. Vendors adding value to security software when they lack basic code comprehension skills is simply dangerous to their users. It is surprising that this should be controversial. His Adding uninitialised memory to it can do no harm and might do some good, which is why we do it. is pure arrogant and shortsighted shit to me. Congratulations, you have just demonstrated youself to be the same category of incomprehension as the Debian developers. -d
Re: More details show that someone seriously fucked up in debian. [Was: Re: Debian libssl security (OpenSSH safe?)]
On Wed, May 14, 2008 at 12:48:41AM +0200, chefren wrote: On 5/13/08 7:08 PM, Marc Espie wrote: More details show that someone seriously fucked up in debian. Well, this Kurt has seriously asked for details on the relevant openssl-dev list: http://marc.info/?l=openssl-devm=114651085826293w=2 And see what arrogant as usual Ben Laurie states: http://www.links.org/?p=327 they should contribute their patches upstream to the package maintainers. Had Debian done this in this case, we (the OpenSSL Team) would have fallen about laughing, and once we had got our breath back, told them what a terrible idea this was. Kurt has clearly done so, and I know personally of another totally ignored patch from our company and I have heard in the past about OpenBSD people trying to send patches to OpenSSL maintainers to no avail. The OpenSSL maintainers have proven not to read their mail, they aren't interested in cleaning up their big mess. Laurie also states never fix a bug you dont understand and this OpenSSL hero seems to forget that something that seems smart and OK now and here can be plain bad and ugly when looked at with some more distance or knowledge. His Adding uninitialised memory to it can do no harm and might do some good, which is why we do it. is pure arrogant and shortsighted shit to me. +++chefren Of course it is wrong to /depend/ on uninitialized mem to stir a random pool. Often uninitialized means lots of zeroes or predictable stack contents. But the actual Debian diff that was committed removes any stirring, it seems. From a quick view, no actual data from the passed in argument is being used to stir the pool anymore. Now that is the real problem. Because even if you have collected nice date with high entropy to seed the PRNG, it will be ignored. The openssl-dev list did not spot that, and indeed, that is disturbing. But Kurt never actually posted a diff there: so it's easy for the two two sided to be talking about different things. As for the arrogance: i'm pretty sure openssl proper contains more bugs. When I wrote our dc(1) (which uses the bignum lib from openssl) that occurred whan adding 0 to a bignum A, which resulted in A not being equal to the result. I was quite suprised that bug was never found before. Probably crypto code only covers parts of the bignum functionality. The handing of that bug was adequate, though. -Otto
Re: Debian libssl security (OpenSSH safe?)
On Tue, 13 May 2008 11:14:59 -0500 Sean Malloy [EMAIL PROTECTED] wrote: On Tue, May 13, 2008 at 11:37:38AM -0400, Juan Miscaro wrote: I guess everyone by now has heard about the very serious libssl vulnerability on Debian/Ubuntu? Just making sure that the source is safe, thanks. /juan Here is a quote from the official Debian Security announcement, DSA-1571 http://www.debian.org/security/2008/dsa-1571. This is a Debian-specific vulnerability which does not affect other operating systems which are not based on Debian. However, other systems can be indirectly affected if weak keys are imported into them. Just wondering... If someone generates ssh keys with flags J or Z set in malloc.conf(5), aren't these keys useless too (since feeding predictable data is more or less equal to not feeding data at all) ?
Re: Debian libssl security (OpenSSH safe?)
On Wed, May 14, 2008 at 09:41:43AM +0200, Gabriel Linder wrote: On Tue, 13 May 2008 11:14:59 -0500 Sean Malloy [EMAIL PROTECTED] wrote: On Tue, May 13, 2008 at 11:37:38AM -0400, Juan Miscaro wrote: I guess everyone by now has heard about the very serious libssl vulnerability on Debian/Ubuntu? Just making sure that the source is safe, thanks. /juan Here is a quote from the official Debian Security announcement, DSA-1571 http://www.debian.org/security/2008/dsa-1571. This is a Debian-specific vulnerability which does not affect other operating systems which are not based on Debian. However, other systems can be indirectly affected if weak keys are imported into them. Just wondering... If someone generates ssh keys with flags J or Z set in malloc.conf(5), aren't these keys useless too (since feeding predictable data is more or less equal to not feeding data at all) ? We're talking about stack data here, not heap, and besides, the uninited data is only an extra source of entropy. The faulty Debian diff removed almost all seeding from the PRNG. That was the acutal error. -Otto
Re: Debian libssl security (OpenSSH safe?)
On 5/14/08, Gabriel Linder [EMAIL PROTECTED] wrote: Just wondering... If someone generates ssh keys with flags J or Z set in malloc.conf(5), aren't these keys useless too (since feeding predictable data is more or less equal to not feeding data at all) ? feeding predictable data + unpredictable data is not the same as feeding no data at all.
Re: More details show that someone seriously fucked up in debian. [Was: Re: Debian libssl security (OpenSSH safe?)]
On Wed, May 14, 2008 at 08:47:38AM +0200, Otto Moerbeek wrote: On Wed, May 14, 2008 at 12:48:41AM +0200, chefren wrote: On 5/13/08 7:08 PM, Marc Espie wrote: More details show that someone seriously fucked up in debian. Well, this Kurt has seriously asked for details on the relevant openssl-dev list: http://marc.info/?l=openssl-devm=114651085826293w=2 And see what arrogant as usual Ben Laurie states: http://www.links.org/?p=327 they should contribute their patches upstream to the package maintainers. Had Debian done this in this case, we (the OpenSSL Team) would have fallen about laughing, and once we had got our breath back, told them what a terrible idea this was. Kurt has clearly done so, and I know personally of another totally ignored patch from our company and I have heard in the past about OpenBSD people trying to send patches to OpenSSL maintainers to no avail. The OpenSSL maintainers have proven not to read their mail, they aren't interested in cleaning up their big mess. Laurie also states never fix a bug you dont understand and this OpenSSL hero seems to forget that something that seems smart and OK now and here can be plain bad and ugly when looked at with some more distance or knowledge. His Adding uninitialised memory to it can do no harm and might do some good, which is why we do it. is pure arrogant and shortsighted shit to me. +++chefren Of course it is wrong to /depend/ on uninitialized mem to stir a random pool. Often uninitialized means lots of zeroes or predictable stack contents. But the actual Debian diff that was committed removes any stirring, it seems. From a quick view, no actual data from the passed in argument is being used to stir the pool anymore. Now that is the real problem. Because even if you have collected nice date with high entropy to seed the PRNG, it will be ignored. The openssl-dev list did not spot that, and indeed, that is disturbing. But Kurt never actually posted a diff there: so it's easy for the two two sided to be talking about different things. As for the arrogance: i'm pretty sure openssl proper contains more bugs. When I wrote our dc(1) (which uses the bignum lib from openssl) that occurred whan adding 0 to a bignum A, which resulted in A not being equal to the result. I was quite suprised that bug was never Ehh, this part is missing something. What I meant to write: As for the arrogance: i'm pretty sure openssl proper contains bugs. When I wrote our dc(1) (which uses the bignum lib from openssl) I stumbled upon a bug that occurred when adding 0 to a bignum A, which resulted in A not being equal to the result. I was quite surprised that bug was never found before. Probably crypto code only covers parts of the bignum functionality. The handing of that bug was adequate, though. -Otto
Re: Debian libssl security (OpenSSH safe?)
Ted Unangst ha scritto: On 5/14/08, Gabriel Linder [EMAIL PROTECTED] wrote: Just wondering... If someone generates ssh keys with flags J or Z set in malloc.conf(5), aren't these keys useless too (since feeding predictable data is more or less equal to not feeding data at all) ? A decent analysis can be found here... just to understand what can do a comment /* */ :) http://blog.drinsama.de/erich/en/linux/2008051401-consequences-of-sslssh-weakness.html francesco
Re: Debian libssl security (OpenSSH safe?)
On Thu, May 15, 2008 at 01:45:51AM +0200, raven wrote: Ted Unangst ha scritto: On 5/14/08, Gabriel Linder [EMAIL PROTECTED] wrote: Just wondering... If someone generates ssh keys with flags J or Z set in malloc.conf(5), aren't these keys useless too (since feeding predictable data is more or less equal to not feeding data at all) ? A decent analysis can be found here... just to understand what can do a comment /* */ :) http://blog.drinsama.de/erich/en/linux/2008051401-consequences-of-sslssh-weakness.html Are you sure that's a decent analysis? If you have a non-debian system with the full number of keys available, what are the chances that you've landed on one of the 32767 keys? Not very likely. So that analysis seems alarmist and sensational to me. -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: Debian libssl security (OpenSSH safe?)
On May 14, 2008, at 5:22 PM, Darrin Chandler wrote: On Thu, May 15, 2008 at 01:45:51AM +0200, raven wrote: A decent analysis can be found here... just to understand what can do a comment /* */ :) http://blog.drinsama.de/erich/en/linux/2008051401-consequences-of-sslssh-weakness.html Are you sure that's a decent analysis? If you have a non-debian system with the full number of keys available, what are the chances that you've landed on one of the 32767 keys? Not very likely. So that analysis seems alarmist and sensational to me. and it only applies if you're using keys _without_passphrase_. on your root account. do people actually allow remote root access ? for more than 5 minutes after install?
Re: Debian libssl security (OpenSSH safe?)
On Wed, May 14, 2008 at 05:30:18PM -0700, Ben Calvert wrote: On May 14, 2008, at 5:22 PM, Darrin Chandler wrote: On Thu, May 15, 2008 at 01:45:51AM +0200, raven wrote: A decent analysis can be found here... just to understand what can do a comment /* */ :) http://blog.drinsama.de/erich/en/linux/2008051401-consequences-of-sslssh-weakness.html Are you sure that's a decent analysis? If you have a non-debian system with the full number of keys available, what are the chances that you've landed on one of the 32767 keys? Not very likely. So that analysis seems alarmist and sensational to me. Your users may very well have keys generated on debian based systems. I don't know about you, but I don't want just anyone getting a luser account on my systems. and it only applies if you're using keys _without_passphrase_. on your root account. Umm, no? What does the passphrase have to do with this... do people actually allow remote root access ? for more than 5 minutes after install? Too many people still use SSH public keys for root in automated scripts. Besides, cracking your normal user account can result in just as bad consequences as cracking the root account, especially if you su or sudo to root...
Re: Debian libssl security (OpenSSH safe?)
On 5/14/08, Ben Calvert [EMAIL PROTECTED] wrote: On May 14, 2008, at 5:22 PM, Darrin Chandler wrote: Are you sure that's a decent analysis? If you have a non-debian system with the full number of keys available, what are the chances that you've landed on one of the 32767 keys? Not very likely. So that analysis seems alarmist and sensational to me. Because nobody would ever run ssh-keygen on their ubuntu desktop and copy that to authorized_keys on another computer. and it only applies if you're using keys _without_passphrase_. on your root account. do people actually allow remote root access ? for more than 5 minutes after install? lots of people. some people even type sudo or su after logging in. not all of them type the full path every time they do so.
Re: Debian libssl security (OpenSSH safe?)
On Wed, May 14, 2008 at 10:22:11PM -0400, Ted Unangst wrote: On 5/14/08, Ben Calvert [EMAIL PROTECTED] wrote: On May 14, 2008, at 5:22 PM, Darrin Chandler wrote: Are you sure that's a decent analysis? If you have a non-debian system with the full number of keys available, what are the chances that you've landed on one of the 32767 keys? Not very likely. So that analysis seems alarmist and sensational to me. Because nobody would ever run ssh-keygen on their ubuntu desktop and copy that to authorized_keys on another computer. Sure. Lots of those keys out there already. So is something like ssh-vulnkey the right approach? I do have a couple of users on one of my boxes. Mind, they're all good OpenBSD people and I really hope their keys didn't come from a debian box. It'll be nice to find out that the keys are ok. -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: Debian libssl security (OpenSSH safe?)
On 5/14/08, Darrin Chandler [EMAIL PROTECTED] wrote: Sure. Lots of those keys out there already. So is something like ssh-vulnkey the right approach? I do have a couple of users on one of my boxes. Mind, they're all good OpenBSD people and I really hope their keys didn't come from a debian box. It'll be nice to find out that the keys are ok. Probably the best that can be done. This is a lot worse than a weak prng making numbers such that you can predict the next one given a previous one. Personally, I haven't given much thought to the problem as I don't have users. But I think a safe, complete response goes a lot farther than just replacing a few bad keys.
Re: Debian libssl security (OpenSSH safe?)
On Wed, May 14, 2008 at 07:43:25PM -0700, Darrin Chandler wrote: On Wed, May 14, 2008 at 10:22:11PM -0400, Ted Unangst wrote: On 5/14/08, Ben Calvert [EMAIL PROTECTED] wrote: On May 14, 2008, at 5:22 PM, Darrin Chandler wrote: Are you sure that's a decent analysis? If you have a non-debian system with the full number of keys available, what are the chances that you've landed on one of the 32767 keys? Not very likely. So that analysis seems alarmist and sensational to me. Because nobody would ever run ssh-keygen on their ubuntu desktop and copy that to authorized_keys on another computer. Sure. Lots of those keys out there already. So is something like ssh-vulnkey the right approach? I do have a couple of users on one of my boxes. Mind, they're all good OpenBSD people and I really hope their keys didn't come from a debian box. It'll be nice to find out that the keys are ok. You can use the perl script in the debian announcement to check host keys and user keys. -Otto
Re: Debian libssl security (OpenSSH safe?)
On Tue, May 13, 2008 at 11:37:38AM -0400, Juan Miscaro wrote: I guess everyone by now has heard about the very serious libssl vulnerability on Debian/Ubuntu? Just making sure that the source is safe, thanks. /juan Here is a quote from the official Debian Security announcement, DSA-1571 http://www.debian.org/security/2008/dsa-1571. This is a Debian-specific vulnerability which does not affect other operating systems which are not based on Debian. However, other systems can be indirectly affected if weak keys are imported into them. -- Sean Malloy www.spmalloy.com
Re: Debian libssl security (OpenSSH safe?)
On Tue, May 13, 2008 at 11:14:59AM -0500, Sean Malloy wrote: On Tue, May 13, 2008 at 11:37:38AM -0400, Juan Miscaro wrote: I guess everyone by now has heard about the very serious libssl vulnerability on Debian/Ubuntu? Just making sure that the source is safe, thanks. /juan Here is a quote from the official Debian Security announcement, DSA-1571 http://www.debian.org/security/2008/dsa-1571. This is a Debian-specific vulnerability which does not affect other operating systems which are not based on Debian. However, other systems can be indirectly affected if weak keys are imported into them. More details show that someone seriously fucked up in debian. Trusting automated reporting tools like valgrind is fairly dangerous. I'm saddened that people still don't learn. `but this is a serious security warning. This MUST be fixed, valgrind canNOT be wrong.' duh... well, it can, like every tool out there that understands the source only so far... better than some humans, granted, but hopefully not better (yet) than the people who write serious software...
Re: Debian libssl security (OpenSSH safe?)
On Tue, May 13, 2008 at 09:41:00PM +0400, B A wrote: Can't find relation between bug in openssl deb package and valgring. There is no such info in the original link as I see (DSA-1571-1). Cold you be more specific and informative? Thank you. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=363516
Re: Debian libssl security (OpenSSH safe?)
Yes. Not good idea to modify sources just for satisfying automatic testings tool. Good lesson! 13.05.08, 21:53, Marc Espie [EMAIL PROTECTED]: On Tue, May 13, 2008 at 09:41:00PM +0400, B A wrote: Can't find relation between bug in openssl deb package and valgring. There is no such info in the original link as I see (DSA-1571-1). Cold you be more specific and informative? Thank you. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=363516
Re: Debian libssl security (OpenSSH safe?)
Can't find relation between bug in openssl deb package and valgring. There is no such info in the original link as I see (DSA-1571-1). Cold you be more specific and informative? Thank you. 13.05.08, 21:00, Marc Espie [EMAIL PROTECTED]: More details show that someone seriously fucked up in debian. Trusting automated reporting tools like valgrind is fairly dangerous. I'm saddened that people still don't learn. `but this is a serious security warning. This MUST be fixed, valgrind canNOT be wrong.' duh... well, it can, like every tool out there that understands the source only so far... better than some humans, granted, but hopefully not better (yet) than the people who write serious software...
More details show that someone seriously fucked up in debian. [Was: Re: Debian libssl security (OpenSSH safe?)]
On 5/13/08 7:08 PM, Marc Espie wrote: More details show that someone seriously fucked up in debian. Well, this Kurt has seriously asked for details on the relevant openssl-dev list: http://marc.info/?l=openssl-devm=114651085826293w=2 And see what arrogant as usual Ben Laurie states: http://www.links.org/?p=327 they should contribute their patches upstream to the package maintainers. Had Debian done this in this case, we (the OpenSSL Team) would have fallen about laughing, and once we had got our breath back, told them what a terrible idea this was. Kurt has clearly done so, and I know personally of another totally ignored patch from our company and I have heard in the past about OpenBSD people trying to send patches to OpenSSL maintainers to no avail. The OpenSSL maintainers have proven not to read their mail, they aren't interested in cleaning up their big mess. Laurie also states never fix a bug you dont understand and this OpenSSL hero seems to forget that something that seems smart and OK now and here can be plain bad and ugly when looked at with some more distance or knowledge. His Adding uninitialised memory to it can do no harm and might do some good, which is why we do it. is pure arrogant and shortsighted shit to me. +++chefren