On 20.12.2013 13:38, olli hauer wrote:
> md2 was deprecated in 2009 by the openssl project
>  http://cvs.openssl.org/chngview?cn=18381
>  CVE-2009-2409
> As fas as I know some Linux based projects have removed md2 from 
> openssl-0.9.x in 2009.
So, when are we removing sum(1) and cksum(1) -- implementation of the
even weaker hashing?

Should we do with rsh(1), what Linux have done:

    % rsh -v
    OpenSSH_5.9p1 Debian-5ubuntu1.1, OpenSSL 1.0.1 14 Mar 2012
    usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c
               [-D [bind_address:]port] [-e escape_char] [-F configfile]
               [-I pkcs11] [-i identity_file]
               [-L [bind_address:]port:host:hostport]
               [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option]
    [-p port]
               [-R [bind_address:]port:host:hostport] [-S ctl_path]
               [-W host:port] [-w local_tun[:remote_tun]]
               [user@]hostname [command]

How about rexec/rcmd(3), gets(3), and tmpfile(3)? OpenSSL may have
deprecated md2 (though it remains an option even there, just off by
default), but FreeBSD did not have to -- our libmd could've continued to
offer the functionality, just as libz, for yet another example,
continues to offer its own checksum implementation.

If, for some reason, we feel we must warn the user, we could do that
when installing ports -- as we already warn about the network-listening
and other potentially dangerous functions.

Could we, please, have MD2 resurrected before 10.0 is officially out?
Preferably in both -lmd and -lcrypto, but certainly in the former. Thank
you! Yours,


freebsd-current@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Reply via email to