Followup on Inquiry about regreSSHion postmortem
Rene Malmgren
rene.malmgren at redtoken.ae
Thu Aug 21 05:06:12 AEST 2025
I haven't read up on CVE-2022-3358, but it's my assessment that "Heartbleed" CVE-2014-0160 is an example of purposefully crafted attack on the system.
If you feel that the facts that I present do not add up, the by all means feel free to continue using said software on your system and recommend other to do so. It's your data, that is at risk and your reputation among your customers.
After all it's a free market of ideas.
We work under the assumption that organization like NSO, Lazarus Group and so on exist, and that they pay for vulnerabilities on the grey market, and we advise our customers accordingly. So yes, the assumption is that the information has been sold. And the fact that the organization that produces the software seems to operate under the assumption that the non-OpenBSD users are fair game, well it does not create a lot of confidence. Perhaps not what I wanted, but we can adjust. What is so far the biggest disappointment is that even the people that work for the non-OpenBSD organization don't seem to value the safety of there users.
/Rene
________________________________
From: openssh-unix-dev <openssh-unix-dev-bounces+rene.malmgren=redtoken.ae at mindrot.org> on behalf of Chris Rapier <rapier at psc.edu>
Sent: Wednesday, August 20, 2025 8:44 PM
To: openssh-unix-dev at mindrot.org <openssh-unix-dev at mindrot.org>
Subject: Re: Followup on Inquiry about regreSSHion postmortem
On 8/20/25 06:41, Rene Malmgren wrote:
> 1. The commit was designed on purpose in such a way as to hide the intentional reintroduction of CVE-2006-5051.
> 2. This "feature" is part of the smokescreen.
> 3. The overly complicated design is not a bug; it's a feature to hide a reintroduction of a bug.
These three points are entirely unsupported by the evidence. It is a
unfounded leap of logic to suggest that this was intentional when it is
adequately explained by a simple coding failure. It's like accusing
OpenSSL of purposefully allowing CVE-2022-3358 into the code base (yes,
I picked that one on purpose).
More to the point - what would they have to gain by doing this? Do you
think that thy are taking big money from foreign governments to
introduce weaknesses into the application? A healthy amount of paranoia
in this field is a good thing but this is over the top.
Chris
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list