On 20.12.2013 13:38, olli hauer wrote: > md2 was deprecated in 2009 by the openssl project > > http://cvs.openssl.org/chngview?cn=18381 > CVE-2009-2409 > > As fas as I know some Linux based projects have removed md2 from openssl-0.9.x in 2009. So, when are we removing sum(1) and cksum(1) -- implementation of the even weaker hashing? Should we do with rsh(1), what Linux have done: % rsh -v OpenSSH_5.9p1 Debian-5ubuntu1.1, OpenSSL 1.0.1 14 Mar 2012 usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] [user_at_]hostname [command] How about rexec/rcmd(3), gets(3), and tmpfile(3)? OpenSSL may have deprecated md2 (though it remains an option even there, just off by default), but FreeBSD did not have to -- our libmd could've continued to offer the functionality, just as libz, for yet another example, continues to offer its own checksum implementation. If, for some reason, we feel we must warn the user, we could do that when installing ports -- as we already warn about the network-listening and other potentially dangerous functions. Could we, please, have MD2 resurrected before 10.0 is officially out? Preferably in both -lmd and -lcrypto, but certainly in the former. Thank you! Yours, -miReceived on Wed Dec 25 2013 - 17:52:49 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:45 UTC