On 8/20/25 06:41, Rene Malmgren wrote:
1. The commit was designed on purpose in such a way as to hide the intentional reintroduction of CVE-2006-5051. 2. This "feature" is part of the smokescreen. 3. The overly complicated design is not a bug; it's a feature to hide a reintroduction of a bug.
These three points are entirely unsupported by the evidence. It is a unfounded leap of logic to suggest that this was intentional when it is adequately explained by a simple coding failure. It's like accusing OpenSSL of purposefully allowing CVE-2022-3358 into the code base (yes, I picked that one on purpose).
More to the point - what would they have to gain by doing this? Do you think that thy are taking big money from foreign governments to introduce weaknesses into the application? A healthy amount of paranoia in this field is a good thing but this is over the top.
Chris _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
