I haven't read up on CVE-2022-3358, but it's my assessment that "Heartbleed" CVE-2014-0160 is an example of purposefully crafted attack on the system. If you feel that the facts that I present do not add up, the by all means feel free to continue using said software on your system and recommend other to do so. It's your data, that is at risk and your reputation among your customers. After all it's a free market of ideas. We work under the assumption that organization like NSO, Lazarus Group and so on exist, and that they pay for vulnerabilities on the grey market, and we advise our customers accordingly. So yes, the assumption is that the information has been sold. And the fact that the organization that produces the software seems to operate under the assumption that the non-OpenBSD users are fair game, well it does not create a lot of confidence. Perhaps not what I wanted, but we can adjust. What is so far the biggest disappointment is that even the people that work for the non-OpenBSD organization don't seem to value the safety of there users. /Rene ________________________________ From: openssh-unix-dev <openssh-unix-dev-bounces+rene.malmgren=redtoken.ae@xxxxxxxxxxx> on behalf of Chris Rapier <rapier@xxxxxxx> Sent: Wednesday, August 20, 2025 8:44 PM To: openssh-unix-dev@xxxxxxxxxxx <openssh-unix-dev@xxxxxxxxxxx> Subject: Re: Followup on Inquiry about regreSSHion postmortem On 8/20/25 06:41, Rene Malmgren wrote: > 1. The commit was designed on purpose in such a way as to hide the intentional reintroduction of CVE-2006-5051. > 2. This "feature" is part of the smokescreen. > 3. The overly complicated design is not a bug; it's a feature to hide a reintroduction of a bug. These three points are entirely unsupported by the evidence. It is a unfounded leap of logic to suggest that this was intentional when it is adequately explained by a simple coding failure. It's like accusing OpenSSL of purposefully allowing CVE-2022-3358 into the code base (yes, I picked that one on purpose). More to the point - what would they have to gain by doing this? Do you think that thy are taking big money from foreign governments to introduce weaknesses into the application? A healthy amount of paranoia in this field is a good thing but this is over the top. Chris _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
