http://marc.info/?l=openbsd-tech&m=129236621626462&w=2
Is CentOS affected?
On 12/14/10 10:30 PM, Fajar Priyanto wrote:
http://marc.info/?l=openbsd-tech&m=129236621626462&w=2
Is CentOS affected?
its not clear yet if even OpenBSD is effected. be pretty hard to imagine any such back door remaining in 10 year old code thats subject to such rigorous security audits as OpenBSD
there's a lot that doesnt' jive. like, the encryption coding was all done outside the USA so the encryption export laws in effect at the time had no impact.
On Wed, Dec 15, 2010 at 1:46 AM, John R Pierce pierce@hogranch.com wrote:
On 12/14/10 10:30 PM, Fajar Priyanto wrote:
http://marc.info/?l=openbsd-tech&m=129236621626462&w=2
Is CentOS affected?
its not clear yet if even OpenBSD is effected. be pretty hard to imagine any such back door remaining in 10 year old code thats subject to such rigorous security audits as OpenBSD
there's a lot that doesnt' jive. like, the encryption coding was all done outside the USA so the encryption export laws in effect at the time had no impact.
As someone contributing patches to the original SSH software and later OpenSSH patches at the time, I've got to say "no, it wasn't". Patches were accepted from anywhere. Carefully code reviewed, and many patches rejected, but indeed accepted. My favorite rejected patch was the "stop doing reverse DNS lookups, dang it!" patch. The only graceful way to entirely turn it off is to set the SSH daemon to record a maximum hostname length of zero, which is a very strange way to simply disable that behavior. (It causes serious connection lag in networks where you're unlikely to be able to get reliable reverse DNS, which is far too common a setup issue.)
Patches aren't necessarily considered encryption.
On Wednesday, December 15, 2010 01:30:28 am Fajar Priyanto wrote:
See also http://www.itworld.com/open-source/130820/openbsdfbi-allegations-denied-name...
-
Fajar Priyanto -
John R Pierce -
Lamar Owen -
Nico Kadel-Garcia