4.6-R (Was: Re: FreeBSD Security Advisory FreeBSD-SA-03:18.openssl)

Jacques A. Vidrine nectar at FreeBSD.org
Mon Oct 6 07:10:07 PDT 2003 

On Mon, Oct 06, 2003 at 08:53:32AM -0500, D J Hawkey Jr wrote:
> Your point is well taken, and should be heeded, but I'm not sure about
> the "gurus" bit. I'm no guru, but I've been patching some EOL'd releases
> for a while now with little confusion.

I was trying to politely say, ``only by people who know what they are
doing''.

> Having said that, I've been looking over the SA-03:15 patchfile for
> RELENG_4_6 to see if I must patch a RELENG_4_5 box. My observations:
> 
>   1) In auth1.c, code is added to remember the last packet before getting
>      the next, in order to free resources if the next isn't what's expected.
>      The base OpenSSH in RELENG_4_5 doesn't allocate any such resources;
>      that patch isn't appropriate.
>   2) In auth2-pam-freebsd.c, there is a sanity check to see that an alloc'd
>      structure is properly initialized. Due to code style/structure,
>      RELENG_4_5's auth_pam.c doesn't seem to require this, as the structure
>      elements are explicitly set in the case clauses.
>   3) The default configuration is changed: RhostsRSAAuthentication -> no,
>      StrictHostKeyChecking -> ask, Cipher -> 3des, and Ciphers -> ... .
> 
>   The first two explain why the SA omits RELENG_4_5.

Not completely.  RELENG_4_5 is omitted also because it is no longer
supported by the security-officer team and we ran out of resources at
RELENG_4_6 (which is also no longer supported).  You will note that
RELENG_4_5 also did not receive fixes for the previous two OpenSSH
security advisories.

> However, my corresponding question is:
> 
>   3) Why the changes? Should RELENG_4_5's configuration also be changed?
> 
>   This is really the only question I have, as the code doesn't appear to
>   need any attention.

Check the commit logs on RELENG_4 from that period.  The differences
are due to normal development between the time 4.5-RELEASE and
4.6-RELEASE.

> And an unrelated question:
> 
>   - What's the BSD_AUTH define for? There doesn't seem to be anything
>     in RELENG_4_5 that activates the #ifdef'd code, and it looks as
>     though it's removed in RELENG_4_6.

bsdauth is an authentication mechanism preferred by OpenBSD (where
they have no PAM, IIRC).

Cheers,
-- 
Jacques Vidrine   . NTT/Verio SME      . FreeBSD UNIX       . Heimdal
nectar at celabo.org . jvidrine at verio.net . nectar at freebsd.org . nectar at kth.se

More information about the freebsd-security mailing list