Forums.FreeBSD.org - SSL Issue?
Dan Lukes
dan at obluda.cz
Mon May 18 17:34:10 UTC 2015
On 05/18/15 15:52, Mark Felder:
> I mean, should we have an SA because our libc supports strcpy and people
> can use that and create severe vulnerabilities?
No, but we should have SA whenever other system component is using
strcpy() the way that may affect system security.
System utility 'fetch' is willing negotiate known-to-be-insecure
protocol with no warning and by default. Sensitive user's data may be
transferred by base system utility via insecure protocol. I consider it
bug in fetch code. A system utility must not allow silent transfer of
data via known insecure protocol if secure transfer has been requested.
I see no reason to keep the issue in the dark, even in the case the
issue will not be patched on 8-R & 9-R. OK, I'm former bank IT security
officer, so I my expectations related to handling of security issues may
be set so high.
It seems there is nothing more to say about this (slightly off-)topic. I
wish the vulnerability should be disclosed to public, you wish it is not
necessary because it's known bug in a protocol design and users doesn't
expect secure channel from 'fetch'.
Two men, two opinions. It's not necessary to reach consent.
Thank you for all comments and responses.
Dan
More information about the freebsd-security
mailing list