Followup on Inquiry about regreSSHion postmortem
Chris Rapier
rapier at psc.edu
Thu Aug 21 02:44:04 AEST 2025
On 8/20/25 06:41, Rene Malmgren wrote:
> 1. The commit was designed on purpose in such a way as to hide the intentional reintroduction of CVE-2006-5051.
> 2. This "feature" is part of the smokescreen.
> 3. The overly complicated design is not a bug; it's a feature to hide a reintroduction of a bug.
These three points are entirely unsupported by the evidence. It is a
unfounded leap of logic to suggest that this was intentional when it is
adequately explained by a simple coding failure. It's like accusing
OpenSSL of purposefully allowing CVE-2022-3358 into the code base (yes,
I picked that one on purpose).
More to the point - what would they have to gain by doing this? Do you
think that thy are taking big money from foreign governments to
introduce weaknesses into the application? A healthy amount of paranoia
in this field is a good thing but this is over the top.
Chris
More information about the openssh-unix-dev
mailing list