Is OpenSSH vulnerable to the ZLIB problem or isn't it?

Dave Dykstra dwd at bell-labs.com
Thu Apr 4 05:48:44 EST 2002 

On Wed, Apr 03, 2002 at 12:34:08PM -0700, Theo de Raadt wrote:
> > On Wed, Apr 03, 2002 at 11:08:44AM -0600, Dave Dykstra wrote:
> > > I'm disappointed that nobody has replied to my question.  OpenSSH
> > > development team, isn't the potential for a remote root exploit something
> > > that's important to you?  Many other tools that use zlib have issued a
> > > public statement saying they are or they are not vulnerable.
> > 
> > do you have an exploit? how would it look like?  what would it do?
> > sorry, i'm not writing exploits, so i have no idea how such an exploit
> > should work. however, compress.c now has some code that should
> > prevent a double free from zlib.
> 
> Please go read www.openbsd.org/security.html

That's wonderful, it has a statement on the zlib bug.  The corresponding
page at www.openssh.org/security.html, however does not.  That's all I'm
asking for.


> We do not do exploitability checking.
> 
> Many groups on the net do, and I feel they waste their time greatly
> doing so, instead of just fixing their code.

I'm not asking for a detailed check, just a quick educated opinion from the
people who know the code best.


> As a user, do what you should naturally do.  Assume so.  And upgrade.
> I mean, what is the problem?  A bug has been fixed.  A new release is
> out.  Upgrade.

Please post a recommendation to do that then.


> We simply do not do software release management in the
> way you want us to, and we never will.  Why hold us accountable to do
> things in a stupid way which it is clear every single company on the
> planet does not follow either?
>
> Why should we be better, when we are unfinanced, volunteer based, and
> such?

I'm not asking you to do that.  I do that for openssh binaries for a lot
of people, and I'd just like some advice on whether or not it's worth
initiating my process to get all my users to upgrade.


> Know who publishes exploitability status reports?  People who need the
> PR.

Thanks.

- Dave Dykstra

More information about the openssh-unix-dev mailing list