LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LK2008: The values of the Linux community

LWN.net Weekly Edition for October 9, 2008

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

OpenSSH 5.0 released

OpenSSH 5.0 released

Posted Apr 4, 2008 15:18 UTC (Fri) by madscientist (subscriber, #16861)
In reply to: OpenSSH 5.0 released by nhippi
Parent article: OpenSSH 5.0 released 

You're right about all these errors, but you left out the one specific error I called out as
the most egregious one:

x) Red Hat does not report the bug and its fix upstream to OpenSSH back in 2005, when they
found it.

Of course it can be quite difficult to determine whether a bug is a security risk, especially
if that's not how you came across it in the first place.  I certainly don't blame Red Hat for
not recognizing the security implications.  Regardless, however, good community participation
demands that when you find a bug you report it upstream to the developers.  It's true we don't
know for a fact that this was not done, but we can have a reasonable suspicion since there was
no indication of this in the bug report, and the bug was not fixed upstream after all this
time.

(Log in to post comments)

OpenSSH 5.0 released

Posted Apr 7, 2008 10:07 UTC (Mon) by dwmw2 (subscriber, #2063) [Link]

madscientist writes:
You're right about all these errors, but you left out the one specific error I called out as the most egregious one:

x) Red Hat does not report the bug and its fix upstream to OpenSSH back in 2005, when they found it.

This is fairly unfortunate, and definitely not Fedora policy. For both selfish and altruistic reasons, we really do try to merge patches upstream as promptly as possible.

OpenSSH is a bit special here, since it seems so hard to get patches merged. It's very unfortunate that we carry so many patches, but after my own experience with bugs/RFEs #1328, #1329 and #1330, for which I've been building my own packages for years and occasionally trying to merge the patches but getting nowhere, I can't really criticise our OpenSSH package maintainer for that.

Looking through the (unfortunately private) bug report in RHEL bugzilla, it seems that it was originally reported to us with the text "Grrr. This is a *known* sshd bug...", which probably made it seem even less necessary for the package maintainer to chase it to the recalcitrant upstream.

Still, maybe this is a good time for us to improve matters by trying to flush all our pending patches to upstream, and for upstream to start being a little more receptive to them.

OpenSSH 5.0 released

Posted Apr 7, 2008 12:06 UTC (Mon) by djm (subscriber, #11651) [Link] 

Your commentary is quite misleading: of the three patches you list, only one is a bug (and is
arguably not) - the other two are enhancements. One of these (multiple X11 forwarding) is not
supported by the SSH protocol without hacks, and I have given you quite a reasoned explanation
why we aren't pursuing your approach - that is not unresponsiveness, just a disagreement over
what features should live in the product.

OpenSSH 5.0 released

Posted Apr 7, 2008 12:14 UTC (Mon) by djm (subscriber, #11651) [Link] 

I should add that most (all?) of the _bugs_ filed by the Redhat maintainer (Thomas Mraz)
against OpenSSH are closed, mostly because he writes great bug reports and makes his patches
very easy to merge. He is probably the easiest distribution representative to deal with.

OpenSSH 5.0 released

Posted Apr 7, 2008 14:16 UTC (Mon) by dwmw2 (subscriber, #2063) [Link]

I'm sorry; I didn't mean to mislead. I did say "bugs/RFEs", and it was just an example.

Personally, I count the first two as bugs and only the last as an RFE — I do consider the forwarding of X clients to the "wrong" display to be a bug rather than a missing feature, and it isn't so much of a hack to use our own locally-generated MIT-MAGIC-COOKIE to differentiate between clients. I thought your objection was mostly that we have a similar bug with agent forwarding which is harder to fix, and that fixing one but not the other would be inconsistent, even though the agent forwarding bug is much less often an issue (in my experience, never). But this probably isn't the correct forum for that discussion.

I could perhaps have also included bug #1349, but I haven't been carrying that patch in my builds for so long.

Anyway, those are just in my personal builds. The important thing is that we get everything from the distribution(s) properly considered for merging upstream. There are too many patches outstanding for my liking, for whatever reasons.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds