OpenSSH bug falls through the cracks

Posted Apr 11, 2008 0:27 UTC (Fri) by tialaramex (subscriber, #21167)
Parent article: OpenSSH bug falls through the cracks

I've seen this bug too. I have to say that I didn't particularly realise the security
implications, although I understand them in hindsight. I was glad when it got fixed by Red Hat
and then I forgot all about it.

The OpenBSD community has become very inward looking. I couldn't find any evidence that they'd
even looked at the DF bug for example. Does it affect OpenBSD? Apparently no-one cared enough
to even ask, or they simply don't notice any news from outside.

We may end up with the Free Software people proving to have been right, years after the fact -
as happened with 'git'. At the time OpenSSH took off, there were some smaller GPL'd SSH clones
with less obnoxious maintainers. Those projects lost traction with the success of OpenSSH but
of course the source code still exists. If it's going to become a problem to maintain OpenSSH,
one of those clones might be the replacement. Certainly if OpenSSH continues to fall down on
security it has lost its most obvious advantage in that space.

to post comments

OpenSSH bug falls through the cracks

Posted Apr 17, 2008 8:33 UTC (Thu) by djm (subscriber, #11651) [Link] (1 responses)

Of course we looked at the Debian bug, the problem is that we only learned of  it after they
made a public release. There are good mechanisms to avoid this sort of problem occurring
(nominated security contacts, vendor-sec, etc.) but none of them were used.

I'm not sure how any of this leads to us being "inward looking", which is frankly insulting
given how much time some of us spend ensuring OpenSSH continues to run on platforms we don't
use frequently or at all.

OpenSSH bug falls through the cracks

Posted May 20, 2008 4:36 UTC (Tue) by micah (guest, #20908) [Link]

> we only learned of it after they made a public release. 

A what now? Debian's BTS is public, throughout the whole cycle, there was no 'public release'
here.

Unless you mean to say that after a CVE was requested for an issue that had been reported in a
public bug tracking system for months. Which by the way is one of the "good mechanisms" that
are already out there.

When you made a scene about this originally, you were mistaken and I corrected you then, but
clearly your anger has kept you from hearing the facts. Claiming that "Debian" failed to avoid
this sort of problem just goes to show you do not know what you are talking about. The
original submitter of the bug was not a Debian developer and their posting to the Debian BTS
does not constitute Debian failing to use good mechanisms. If you dont know why, I'll tell
you: Debian don't control random people posting bugs to the public system, and once its been
posted, there is nothing that Debian can do to make it go away.

If your idea of good security practices are that Debian should have taken a many month old bug
that had been sitting on a public web site, that has been indexed by search engines, reposted
to many mailing lists, gated to NNTP and forums and wasted time trying to cover that up by
making the bug go away and chasing around google, yahoo, etc. to remove their cache'd
searches, scrubbing our public mailing list archives, asking GMANE to remove from their
archives the posting, etc. and then gone to vendor-sec to ask that a coordinated release was
undertaken... then you have to be out of your mind, or are just slandering Debian because
thats a convenient way to draw attention away from the fact that OpenSSH had a security hole. 

Just take the hit, you had a security bug, and it sucked that it got a CVE assigned four days
after you released and were forced to release again. I know it makes you look bad, but don't
blame that on Debian, that makes you look worse.