Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||
OpenSSH 5.0 releasedOpenSSH 5.0 releasedPosted Apr 3, 2008 22:26 UTC (Thu) by joey (subscriber, #328)Parent article: OpenSSH 5.0 released
"The Debian OpenSSH Maintainers" did not file the bug, it was filed by a Debian USER, in a public bug tracking system. It was also apparently fixed years ago in Fedora w/o being realised it was a security hole. The problem was apparently reported directly to Theo de Raadt on February 3rd. See <http://bugs.debian.org/463011>
(Log in to post comments)
OpenSSH 5.0 released Posted Apr 3, 2008 22:42 UTC (Thu) by micah (subscriber, #20908) [Link] I requested this CVE from Mitre due after the comment from a bug submitter indicated that this had been forwarded upstream to the OpenSSH maintainers and they had not responded. I did not think that I needed to double check that this person did this, but I guess if it means low blows from the openssh people if I dont, then I will in the future.
OpenSSH 5.0 released Posted Apr 4, 2008 0:18 UTC (Fri) by djm (subscriber, #11651) [Link] It isn't a "low blow" to honestly state that Debian has not followed good procedure. You could tell from the bug report yourself that it had been forwarded to a single developer and not a security group contact and you never bothered to check with us to coordinate a release. So yes, if you follow good procedure in future than you are not likely to be criticised.
OpenSSH 5.0 released Posted Apr 4, 2008 2:10 UTC (Fri) by abartlet (subscriber, #3928) [Link] It is to do so in the release announcement. Leave such things for a private (or at least not in the announce mail) discussion with the debian maintainer.
OpenSSH 5.0 released Posted Apr 4, 2008 4:06 UTC (Fri) by micah (subscriber, #20908) [Link] Its a hard claim to accept that Debian didn't follow good procedure when the bug was reported in a public forum and existed there for nearly 3 months for all the internet to see. If this bug was reported via private channels such as vendor-sec and then Debian went about releasing it to the world anyways, then yes you would be right, but once its out there, its out there. I'm sorry, but there is no undo on the internet.
OpenSSH 5.0 released Posted Apr 14, 2008 18:02 UTC (Mon) by shane (subscriber, #3335) [Link] To be fair, there are a lot of public forums on the Internet. Every distribution has one, and software developers do not have the time to follow every single possible channel for bug reports.Normal procedure is for distributions to push bug reports and other patches upstream to the main developers. In my experience distributions tend to be pretty bad about this process, and maybe frustration with this has contributed to the asinine actions from the OpenSSH developers.
OpenSSH 5.0 released Posted Apr 4, 2008 6:36 UTC (Fri) by bronson (subscriber, #4806) [Link] Wow, two of the first three paragraphs of that press release are spent complaining about Debian. Tell us more about good procedure? Especially as related to discrete communication? :)
OpenSSH 5.0 released Posted Apr 10, 2008 10:55 UTC (Thu) by daniels (subscriber, #16193) [Link] Wow, what an incentive. 'Don't make any mistake ever, and we won't spend our entire release announcement calling you idiots.' Your generosity is matched only by your kindness. (Of course, Novell employees are idiots when they make a typo introducing one security bug, but whoever made this mistake is doubtless not an idiot.)
OpenSSH 5.0 released Posted Apr 3, 2008 22:52 UTC (Thu) by madscientist (subscriber, #16861) [Link] Well, sending directly to Theo is not the same as sending it to the official security mailing list, although one would hope that it would be sufficient. It would have been nice if Timo Juhani Lindfors had used Debian's security procedures as outlined in the Security FAQ (on the main page click "Security Information" and proceed accordingly) rather than reporting a security issue as a normal bug; that short-circuited Debian's security handling process. However, it's difficult to fault users for not being 100% up to date on all the minutae of distro processes. Is there any way in Debian BTS to mark a bug as a security bug, and so make it only visible to the security team? It would be nice to be able to "hide" bugs once they're realized to be security issues, until the problem goes public. I'm a little surprised the Debian maintainers apparently didn't follow Debian's security protocols; there's no sign this was raised with the Debian Security team, and indeed it sat around in the BTS for >6.5 weeks after the fix was known before it was acted on. All around it seems (looking at it externally) an unfortunate breakdown. However, to my mind the real fault here lies with Red Hat. Even if they hadn't recognized that this is a security issue it seems to me they have an obligation to push fixes like this back upstream; this is an obvious bug that, one has to imagine, the OpenSSH folks would have liked to have known about even without the security implications. Red Hat has been carrying this patch across 50+ package versions since 2005 with no sign that they ever tried to get the fix promoted up.
OpenSSH 5.0 released Posted Apr 3, 2008 23:06 UTC (Thu) by BenHutchings (subscriber, #37955) [Link] There is a "security" tag, but there is no facility for hidden bugs in debbugs. Security bugs that are not publicly known should be reported to security@debian.org (http://www.debian.org/security/faq#discover)
OpenSSH 5.0 released Posted Apr 3, 2008 23:08 UTC (Thu) by lordsutch (subscriber, #53) [Link] There is a security tag available in the BTS but as far as I know there's no facility in the BTS for hiding reports based on it or any other criteria. (I don't know how the security team tracks things internally, but I'm 99.8% sure it's not using bugs.debian.org.) I suppose reportbug and reportbug-ng should nag users who report bugs tagged security to send them to team@security.debian.org (or security@debian.org) instead if the vulnerability isn't publicly-known; I don't know how many users would know that offhand, though, so I'm not sure the question would help much.
OpenSSH 5.0 released Posted Apr 4, 2008 13:13 UTC (Fri) by jond (subscriber, #37669) [Link]
Hiding a bug in this fashion would violate Debian's social contract ("We will not hide
problems").
OpenSSH 5.0 released Posted Apr 4, 2008 22:36 UTC (Fri) by man_ls (subscriber, #15091) [Link] I don't think it counts as "hiding"; it is just "discreetly fixing before revealing"; other innocent parties can get hurt if this kind of information is disclosed. And after all the security team is not supposed to sit on security bugs indefinitely.
OpenSSH 5.0 released Posted Apr 7, 2008 10:21 UTC (Mon) by jond (subscriber, #37669) [Link] To quote that part of the social contract in full: "We will keep our entire bug report database open for public view at all times. Reports that people file online will promptly become visible to others."
OpenSSH 5.0 released Posted Apr 4, 2008 13:15 UTC (Fri) by jhubbard83 (guest, #21750) [Link] I don't know the real reason so this is just conjecture. Maintainers will carry around patches for a package that others find useful. RedHat/Fedora really do want to patches to go into upstream so that they don't have to carry them around. You've indicated that there are 50+ patches that they have been carrying since 2005. I don't know if that is true or not, but that would seem to indicate that it is hard to get patches accepted in upstream for whatever reason. The package maintainer has probably accepted that requests for patches being accepted will fall on deaf ears and has not bothered to attempt to get the supplier of the patch to send it upstream. I couldn't find any links quickly, but I have seen posts in the past about the difficulty of getting patches into openssh. At some point people will stop caring and won't attempt it anymore. This is not just an issue with OpenSSH but it common to other projects as well. Con Kolivas's decision to stop providing is a high visibility example.If someone at openssh really wanted, they could probably pull the source for the major distibutions packages and see what they're putting in them. Don't get me wrong I'm not trying to cast blame onto anyone, it's just the way life is and people make mistakes. Fix it and go on.
OpenSSH 5.0 released Posted Apr 4, 2008 13:16 UTC (Fri) by jhubbard83 (guest, #21750) [Link] Here's the Fedora openssh repo, if anyone is interested. http://cvs.fedoraproject.org/viewcvs/rpms/openssh/
OpenSSH 5.0 released Posted Apr 4, 2008 15:07 UTC (Fri) by madscientist (subscriber, #16861) [Link] Actually, I didn't say there were 50+ patches. What I said was that THIS patch has been applied to 50+ different Red Hat openssh RPM versions, since it was first discovered in 2005. I have no idea how many different patches Red Hat is carrying for openssh, although that would be interesting to look at. You're right, we don't know whether Red Hat tried to report this upstream, and was rebuffed, or not. However, there's no indication (in the bug report etc.) that such an attempt was made. I have also heard rumors that it can be difficult to get bugs reported upstream for openssh, probably because of the odd way it is packaged where the developers maintain only the OpenBSD port and other people are left to maintain all the other ports: in some cases it might be tricky to convince the developers that the bug exists in the original OpenBSD version as well. Still, as I said, even without the security implications being reported it seems like this is an obvious bug that they would have been interested to hear about.
OpenSSH 5.0 released Posted Apr 4, 2008 13:29 UTC (Fri) by nhippi (guest, #34640) [Link] > However, to my mind the real fault here lies with XXX I think it was rather a unfortunate chain of multiple human errors. Blaming a sigle point misses the whole point, when fiasco could have been avoided had almost anyone in the chain of events not done their mistake: x) confusing ipv4/ipv6 behaviour on socket bind If someone as experienced as openssh developers fall to this, how many other will/have done the same mistake? This api does not seem to follow the principle of least surprise. x) openssh developers creating the bug Not fully understanding the api you are using is quite common source of security problems. Requesting an tcp listening socket and then telling X to connect to the ipv4 address via $DISPLAY might seem reasonable to assume safe when ipv6 doesn't pop into your mind. x) fedora fixing the bug without realizing the the security implications Has also happened often before. Especially when dealing with software as critical to security as openssh, every bug should be considered as a security bug until proven wrong. It is unfortunate that distributions hold bugfixes in their packages without pushing them upstream.. x) reporting the security bug to debian via inproper channel For a enduser, finding out the proper way of reporting bugs is hard enough. Now it requires even more to find out that there is a separate channel or security issues. Now documentation might help but most people don't read them anyway. debbugs could support security bugs better (as it already supports the security tag the user was properly using..) x) reporting it to wrong upstream contact Different person than above, but basically the same mistake. x) Debian security not watching "security" tagged bugs closely. Presumably caused by lack of manpower. x) pushing the update to Debian not via the security channel While it was somewhat reasonable to expect that people before him in buglog had contacted the upstream properly, A bigger mistake was to upload to unstable directly instead notifying debian security team to do security uploads to stable and testing. -- While the specific people have probably learned by now and will not repeat their mistake(s), new people will join and eventually do similar mistakes. It's quite hard to avoid human mistakes without same time making contributing inhumanly hard.
OpenSSH 5.0 released Posted Apr 4, 2008 15:18 UTC (Fri) by madscientist (subscriber, #16861) [Link] You're right about all these errors, but you left out the one specific error I called out as the most egregious one: x) Red Hat does not report the bug and its fix upstream to OpenSSH back in 2005, when they found it. Of course it can be quite difficult to determine whether a bug is a security risk, especially if that's not how you came across it in the first place. I certainly don't blame Red Hat for not recognizing the security implications. Regardless, however, good community participation demands that when you find a bug you report it upstream to the developers. It's true we don't know for a fact that this was not done, but we can have a reasonable suspicion since there was no indication of this in the bug report, and the bug was not fixed upstream after all this time.
OpenSSH 5.0 released Posted Apr 7, 2008 10:07 UTC (Mon) by dwmw2 (subscriber, #2063) [Link] madscientist writes:You're right about all these errors, but you left out the one specific error I called out as the most egregious one:This is fairly unfortunate, and definitely not Fedora policy. For both selfish and altruistic reasons, we really do try to merge patches upstream as promptly as possible. OpenSSH is a bit special here, since it seems so hard to get patches merged. It's very unfortunate that we carry so many patches, but after my own experience with bugs/RFEs #1328, #1329 and #1330, for which I've been building my own packages for years and occasionally trying to merge the patches but getting nowhere, I can't really criticise our OpenSSH package maintainer for that. Looking through the (unfortunately private) bug report in RHEL bugzilla, it seems that it was originally reported to us with the text "Grrr. This is a *known* sshd bug...", which probably made it seem even less necessary for the package maintainer to chase it to the recalcitrant upstream. Still, maybe this is a good time for us to improve matters by trying to flush all our pending patches to upstream, and for upstream to start being a little more receptive to them.
OpenSSH 5.0 released Posted Apr 7, 2008 12:06 UTC (Mon) by djm (subscriber, #11651) [Link] Your commentary is quite misleading: of the three patches you list, only one is a bug (and is arguably not) - the other two are enhancements. One of these (multiple X11 forwarding) is not supported by the SSH protocol without hacks, and I have given you quite a reasoned explanation why we aren't pursuing your approach - that is not unresponsiveness, just a disagreement over what features should live in the product.
OpenSSH 5.0 released Posted Apr 7, 2008 12:14 UTC (Mon) by djm (subscriber, #11651) [Link] I should add that most (all?) of the _bugs_ filed by the Redhat maintainer (Thomas Mraz) against OpenSSH are closed, mostly because he writes great bug reports and makes his patches very easy to merge. He is probably the easiest distribution representative to deal with.
OpenSSH 5.0 released Posted Apr 7, 2008 14:16 UTC (Mon) by dwmw2 (subscriber, #2063) [Link] I'm sorry; I didn't mean to mislead. I did say "bugs/RFEs", and it was just an example.Personally, I count the first two as bugs and only the last as an RFE — I do consider the forwarding of X clients to the "wrong" display to be a bug rather than a missing feature, and it isn't so much of a hack to use our own locally-generated MIT-MAGIC-COOKIE to differentiate between clients. I thought your objection was mostly that we have a similar bug with agent forwarding which is harder to fix, and that fixing one but not the other would be inconsistent, even though the agent forwarding bug is much less often an issue (in my experience, never). But this probably isn't the correct forum for that discussion. I could perhaps have also included bug #1349, but I haven't been carrying that patch in my builds for so long. Anyway, those are just in my personal builds. The important thing is that we get everything from the distribution(s) properly considered for merging upstream. There are too many patches outstanding for my liking, for whatever reasons.
|
|||||||||||