[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenSSH: What went wrong?

To: Darren Reed <avalon@coombs.anu.edu.au>
Subject: Re: OpenSSH: What went wrong?
From: Markus Friedl <markus@openbsd.org>
Date: Sat, 29 Jun 2002 00:25:36 +0200
Cc: Theo de Raadt <deraadt@cvs.openbsd.org>, misc@openbsd.org
Content-Disposition: inline
References: <200206281701.g5SH1Zwi010542@cvs.openbsd.org> <200206281736.DAA24453@caligula.anu.edu.au>
User-Agent: Mutt/1.3.28i

On Sat, Jun 29, 2002 at 03:36:16AM +1000, Darren Reed wrote:
> What I'd expect, for starters, is quite simply that all "new" code must
> be audited before a "major" OpenSSH release is made.

jajajaja.

> I'd also expect that in an application like OpenSSH is for all inputs to
> be checked (this one wasn't).  This new code should have been rejected
> by someone before it got into the CVS tree for OpenSSH because it was
> missing things like this.

jajajaja.

> I don't particularly like the idea that this is a "new type of overflow".

jajajaja.

> What that says to me is that you aren't really auditting software
> properly if these kinds of things have slipped through previous audits.

jajajaja.

> Just for something different, maybe you should get together and have an
> auditathon rather than a hackathon.

jajajaja.

References:
- Re: OpenSSH: What went wrong?
  - From: Theo de Raadt <deraadt@cvs.openbsd.org>
- Re: OpenSSH: What went wrong?
  - From: Darren Reed <avalon@coombs.anu.edu.au>

Prev by Date: Setting up OpenBSD as a dsl router with a few public ips.
Next by Date: Re: Another SSH Problem (solved)
Prev by thread: Re: OpenSSH: What went wrong?
Next by thread: CUPS, lpinfo: no lpt0
Index(es):
- Date
- Thread