[CentOS] Re: [CentOS-announce] Impact of the Debian OpenSSL vulnerability

Mon May 19 13:53:54 UTC 2008
Johnny Hughes <johnny at centos.org>

Les Mikesell wrote:
> Ralph Angenendt wrote:
>>
>>>> - What does our upstream think about this?
>>>> - What do the OpenSSH developers think about this?
>>> Someone is going to need to ask those questions of the people...
>>
>> I don't think the OpenSSH devels really do care about that - there is no
>> discussion whatsoever on the secureshell list or on the devel list.
>>
>> No idea about our upstream, but I don't think so either.
> 
> Does anyone know the point of the patch in the first place?  That is, 
> why would a distro-specific modification have been needed at all?  I 
> don't suspect an intentional compromise here but I'm curious about why 
> anyone would consider a non-standard change.
> 

The change was added due to valgrind testing of openssh and warnings 
produced while compiling.

The removal was discussed on the openssh-devel list.

If was clearly an accident caused by trying to do the right thing.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20080519/1e0642db/attachment-0005.sig>