freebsd security - Feb 2017 - fbsd11 & sshv1

> You mean like net/tcpdump398, which was forked from net/tcpdump because
> some people liked its output format better than that of tcpdump 4, and
> then forgotten, and is known to have dozens of security vulnerabilities?
We shouldn't forbid people to shoot themselves in their heads. If someone
needs it, they should get, especially since it won't require much
maintainance.
Just repocopy the port and mark as deprecated and vulnerable next time
there's a CVE in OpenSSH.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL:
<http://lists.freebsd.org/pipermail/freebsd-security/attachments/20170201/a5baa2d9/attachment.sig>

At 05:11 AM 2/1/2017, Piotr Kubaj via freebsd-security wrote:
>We shouldn't forbid people to shoot themselves in their heads. If 
>someone needs it, they should get, especially since it won't 
>require much maintainance.
>Just repocopy the port and mark as deprecated and vulnerable next 
>time there's a CVE in OpenSSH.
Perhaps it would be best if the SSHv1 code were encapsulated in a 
library which could be used to access perfectly good equipment for 
which new software/firmware is not being developed. This would keep 
the code, whatever its quality, out of the main SSH codebase but 
still make it possible to access vital gear as needed.

My company has equipment that would cost more than we could afford 
to replace that runs only SSHv1, and is well protected from attacks 
by other means (such as firewalls and VPNs). It's perfectly safe to 
use SSHv1 with it, and a darned sight safer than devolving to 
Telnet. Just as it's useful to have a way of accessing devices that 
use SSLv3 (we maintain browsers specifically for that purpose), it 
pays to have a way to get at an embedded device that will never 
support versions of SSH beyond v1.

--Brett Glass