On 20.12.2013 13:38, olli hauer wrote: > md2 was deprecated in 2009 by the openssl project > > http://cvs.openssl.org/chngview?cn=18381 > CVE-2009-2409 > > As fas as I know some Linux based projects have removed md2 from > openssl-0.9.x in 2009. So, when are we removing sum(1) and cksum(1) -- implementation of the even weaker hashing?
Should we do with rsh(1), what Linux have done: % rsh -v OpenSSH_5.9p1 Debian-5ubuntu1.1, OpenSSL 1.0.1 14 Mar 2012 usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] [user@]hostname [command] How about rexec/rcmd(3), gets(3), and tmpfile(3)? OpenSSL may have deprecated md2 (though it remains an option even there, just off by default), but FreeBSD did not have to -- our libmd could've continued to offer the functionality, just as libz, for yet another example, continues to offer its own checksum implementation. If, for some reason, we feel we must warn the user, we could do that when installing ports -- as we already warn about the network-listening and other potentially dangerous functions. Could we, please, have MD2 resurrected before 10.0 is officially out? Preferably in both -lmd and -lcrypto, but certainly in the former. Thank you! Yours, -mi _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"