# OpenSSH hole in FreeBSD



## User23 (Apr 11, 2014)

What the hack did i just read:


http://thread.gmane.org/gmane.os.openbs ... ocus=35731

"From: Theo de Raadt <deraadt <at> cvs.openbsd.org>
Subject: Re: OpenSSH hole, April 9
Newsgroups: gmane.os.openbsd.tech
Date: 2014-04-10 00:37:56 GMT (1 day, 12 hours and 17 minutes ago)
>Thanks for the clarification.
>
>I would also like to thank whomever for the extra descriptive text on
>the openssl patch issued the other day.  Having the clarification on
>the (non)impact on OpenSSH right in the patch was good ...

You are welcome.  Stuart Henderson wrote the draft, but he forgot that
part, and Damien Miller and I realized it was needed.  We sensed there
might be some ambiguity...  we'll take care the next time an
OpenOffice problem also.

... as long as you aren't using FreeBSD or a derivative (hint: Jupiper),
you are fine.  That's the only place I know of an OpenSSH hole.

Oh now I sense some angst.  Please ask Kirk McKusick, he knows the
story about why this is not being disclosed to FreeBSD.  Sometimes I
feel a bit sorry for them (and for him), but then the next minute I
don't feel sorry because there's damn good reasons they won't be
told about what I found.

Does that answer help?  Hope so."


----------



## HarryE (Apr 11, 2014)

The mentioned OpenSSH hole seems to have been active in 2002...


----------



## obsigna (Apr 12, 2014)

User23 said:
			
		

> ...
> "From: Theo de Raadt <deraadt <at> cvs.openbsd.org>
> ...
> Does that answer help?  Hope so."



Perhaps the topic title _"OpenSSH hole in FreeBSD"_ does not match exactly the situation. When reading
Theo's post, I thought _"Open *ss hole at OpenBSD"_ would have been more adequate.


----------



## ralphbsz (Apr 12, 2014)

Dear obsigna: Your post is inappropriate.

If you knew the history, and you knew the actors involved, you would probably understand why Theo is upset at many entities, and why Theo is particularly upset at FreeBSD and its leadership.

If I were Theo, I would simply stop making OpenSSH available for any OS other than OpenBSD.  If other OSes want to have a good ssh implementation, they are free to implement one.

I take no sides in this particular debate.  I've used OpenBSD, and love it, and I've use FreeBSD, and I've used FreeBSD, and love it.  I am grateful that someone invests the effort of creating a carefully audited and very well-written ssh implementation.  And the open software community is full of strong personalities, who sometimes have difficulties working together.


----------

