Followup on Inquiry about regreSSHion postmortem

hvjunk hvjunk at gmail.com
Thu Aug 21 05:51:21 AEST 2025 

Rene,

 You are again acting maliciously in your statements.
And again: Go install OpenBSD and OpenSSH *official* if you really want security as regreSSHing didn’t even featured there! 

OpenSSH-portable does a splendid job contrary to your malicious actions here (Oh and misquoting Rene from other email: Better assign malice instead even though insanity is shown)

The ones to blame is rather Linux Kernel devs, the GNU LibC and that pesky SystemD guys when you do want to blame lack of security in Linux. Their N.I.H.S. is shown in several ways and places (I’ll state my gripes with LXC as a start) as really not security focussed IMnsHO, but “user” and money/business focussed


> On 20 Aug 2025, at 21:06, Rene Malmgren <rene.malmgren at redtoken.ae> wrote:
> 
> 
> I haven't read up on CVE-2022-3358, but it's my assessment that "Heartbleed" CVE-2014-0160 is an example of purposefully crafted attack on the system.
> 
> If you feel that the facts that I present do not add up, the by all means feel free to continue using said software on your system and recommend other to do so. It's your data, that is at risk and your reputation among your customers.
> 
> After all it's a free market of ideas.
> 
> We work under the assumption that organization like NSO, Lazarus Group and so on exist, and that they pay for vulnerabilities on the grey market, and we advise our customers accordingly. So yes, the assumption is that the information has been sold. And the fact that the organization that produces the software seems to operate under the assumption that the non-OpenBSD users are fair game, well it does not create a lot of confidence. Perhaps not what I wanted, but we can adjust. What is so far the biggest disappointment is that even the people that work for the non-OpenBSD organization don't seem to value the safety of there users.
> 
> /Rene
> 
> ________________________________
> From: openssh-unix-dev <openssh-unix-dev-bounces+rene.malmgren=redtoken.ae at mindrot.org> on behalf of Chris Rapier <rapier at psc.edu>
> Sent: Wednesday, August 20, 2025 8:44 PM
> To: openssh-unix-dev at mindrot.org <openssh-unix-dev at mindrot.org>
> Subject: Re: Followup on Inquiry about regreSSHion postmortem
> 
> 
> 
> On 8/20/25 06:41, Rene Malmgren wrote:
>> 1. The commit was designed on purpose in such a way as to hide the intentional reintroduction of CVE-2006-5051.
>> 2. This "feature" is part of the smokescreen.
>> 3. The overly complicated design is not a bug; it's a feature to hide a reintroduction of a bug.
> 
> These three points are entirely unsupported by the evidence. It is a
> unfounded leap of logic to suggest that this was intentional when it is
> adequately explained by a simple coding failure. It's like accusing
> OpenSSL of purposefully allowing CVE-2022-3358 into the code base (yes,
> I picked that one on purpose).
> 
> More to the point - what would they have to gain by doing this? Do you
> think that thy are taking big money from foreign governments to
> introduce weaknesses into the application? A healthy amount of paranoia
> in this field is a good thing but this is over the top.
> 
> Chris
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list