pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: pkg/47518: security/libssh MUST be replaced by the real wip/libssh



(removed a bunch of CC)

There is no reason to think that the files from
http://www.0xbadc0de.be/libssh/ are "imposters".
It's much more likely that hosting for this project has simply moved.

0xbadc0de.be is linked from libssh.org, so I think it's pretty legit:
from the page:
        <h4>Blogroll</h4>
        <ul>
        <li><a href="http://blog.cryptomilk.org/"; title="Andreas is one of
the developers of libssh, this is his blog." target="_blank">Blog of
Andreas</a></li>
<li><a href="http://blog.0xbadc0de.be";>Blog of Aris</a></li>

Furthermore, "aris" is all over the git.  http://git.libssh.org/



Indeed, the package is highly out of date so it definitely makes sense
to update it.
I'm not sure what all the fuss is about, though.  We have plenty of
packages which need updates.


Looks like hydra is out of date too.  Instead of being disappointed
you could send in patches and build/test results.

Cheers,
Matt


On Thu, Jan 31, 2013 at 11:16 AM, Noud de Brouwer <noud4%home.nl@localhost> 
wrote:
> (top post)
>
> vulnerabilities in NetBSD are no longer taken serious.
>
> example, take:
> CVE-2012-4559, CVE-2012-4560, CVE-2012-4561 and CVE-2012-4562
> we can not say _anything_ if we have this vulnerability,
> given we have an impostor libssh and not _the_real_thing_
> that we do distribute to you all.
>
> i am total ashame our platform.
>
> On Thu, 2013-01-31 at 15:20 +0000, gnats-admin%netbsd.org@localhost wrote:
>> Thank you very much for your problem report.
>> It has the internal identification `pkg/47518'.
>> The individual assigned to look at your
>> report is: pkg-manager.
>>
>> >Category:       pkg
>> >Responsible:    pkg-manager
>> >Synopsis:       security/libssh MUST be replaced by the real wip/libssh
>> >Arrival-Date:   Thu Jan 31 15:20:00 +0000 2013
>
> http://mail-index.netbsd.org/pkgsrc-wip-cvs/2013/01/31/msg030641.html
>
> http://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=47518
>
> From www%NetBSD.org@localhost  Thu Jan 31 15:16:38 2013
> Return-Path: <www%NetBSD.org@localhost>
> Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
>         by www.NetBSD.org (Postfix) with ESMTP id E3C1363C07C
>         for <gnats-bugs%gnats.NetBSD.org@localhost>; Thu, 31 Jan 2013 
> 15:16:37 +0000 (UTC)
> Message-Id: <20130131151637.3F98C63C07C%www.NetBSD.org@localhost>
> Date: Thu, 31 Jan 2013 15:16:37 +0000 (UTC)
> From: noud4%home.nl@localhost
> Reply-To: noud4%home.nl@localhost
> To: gnats-bugs%NetBSD.org@localhost
> Subject: security/libssh MUST be replaced by the real wip/libssh
> X-Send-Pr-Version: www-1.0
>
>
>>Number:         47518
>>Category:       pkg
>>Synopsis:       security/libssh MUST be replaced by the real wip/libssh
>>Confidential:   no
>>Severity:       critical
>>Priority:       high
>>Responsible:    pkg-manager
>>State:          open
>>Class:          change-request
>>Submitter-Id:   net
>>Arrival-Date:   Thu Jan 31 15:20:00 +0000 2013
>>Last-Modified:  Thu Jan 31 15:40:04 +0000 2013
>>Originator:     Noud de Brouwer
>>Release:        does imply all releases that can build security/libssh
>>Organization:
> -none-
>>Environment:
> NetBSD 10.0.2.17 6.99.16 NetBSD 6.99.16 (MONOLITHIC.UGEN) #7: Wed Jan 16 
> 02:06:10 UTC 2013  
> mickey55@10.0.2.17:/obj-src/sys/arch/i386/compile/MONOLITHIC.UGEN i386
>>Description:
> security/libssh in an imposter and wip/libssh is the real thing.
>
>
> security/libssh/Makefile:
> DISTNAME=       libssh-0.11
> PKGREVISION=    3
> CATEGORIES=     security
> MASTER_SITES=   http://www.0xbadc0de.be/libssh/
>
>
> wip/libssh/Makefile:
> DISTNAME=               libssh-0.5.3
> CATEGORIES=             security
> MASTER_SITES=           http://www.libssh.org/files/0.5/
>
>
> now what are the implications!!, we do _not_ know in the current situation if 
> we are exploitable through:
> CVE-2012-4559, CVE-2012-4560, CVE-2012-4561 and CVE-2012-4562.
>
>
> furthermore: this _total_ unknown security/libssh is used in
> wip/gtk-grdc that can be removed given we now have net/remmina.
>
>
> furthermore: we now have security/hydra,
> if we want to keep this it should be in malware/hydra.
>
>
> i high advise to retrieve ASau his account, even want his
> sponsor to be monitored now (given i do not constant want to
> check for booby-traps, backdoors and the like given time.)
>>How-To-Repeat:
> yeah (use your eyes and knowledge).
>>Fix:
> remove existing security/libssh and pull-up wip/libssh,
> preferably immediate.
>
>
>>Audit-Trail:
> From: Thomas Klausner <wiz%NetBSD.org@localhost>
> To: NetBSD bugtracking <gnats-bugs%NetBSD.org@localhost>
> Cc:
> Subject: Re: pkg/47518: security/libssh MUST be replaced by the real
>  wip/libssh
> Date: Thu, 31 Jan 2013 16:29:52 +0100
>
>
>  On Thu, Jan 31, 2013 at 03:20:01PM +0000, noud4%home.nl@localhost wrote:
>  > security/libssh in an imposter and wip/libssh is the real thing.
>
>
>  I think it's just a really old version.
>  http://www.0xbadc0de.be/libssh/
>  has a file listing that says:
>  [ ] libssh-0.11.tgz    09-Jan-2008 19:50       297K
>  [ ] libssh_now_at_www.libssh.org    26-Apr-2010 23:33  0
>
>
>  > furthermore: we now have security/hydra,
>  > if we want to keep this it should be in malware/hydra.
>
>
>  Why?
>
>
>  Btw, there's a newer version of hydra out.
>  http://freeworld.thc.org/thc-hydra/
>
>
>  > i high advise to retrieve ASau his account, even want his
>  > sponsor to be monitored now
>
>
>  What does he have to do with anything? Just because he was the last to
>  commit to hydra (destdir related)?
>
>
>  This mail is much too blatant for my taste.
>   Thomas
>
>
> From: Noud de Brouwer <noud4%home.nl@localhost>
> To: gnats-bugs%NetBSD.org@localhost
> Cc:
> Subject: Re: pkg/47518: security/libssh MUST be replaced by the real
>  wip/libssh
> Date: Thu, 31 Jan 2013 15:42:44 +0000
>
>
>  On Thu, 2013-01-31 at 15:30 +0000, Thomas Klausner wrote:
>  >  This mail is much too blatant for my taste.
>
>
>  err, no Thomas, you are in full mistake on this one,
>  security/libssh is total blatant, not my PR and successive e-mails.
>  >   Thomas
>  -- noud
>


Home | Main Index | Thread Index | Old Index