Rene, Please check this the *Official* OpenSSH and tell us why the flags you so vicariously blamed Damien for, is NOT in that file, the latest as of today, ie. that still would be a CVE… for Linux that is… but you seemed to have missed that Rene https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/log.c.diff?ipk=fF83_JCDCKqCJ85QEwn7jbP5Ag2cF3ZCTZ6QbjGp4RE&r1=1.52&r2=1.53&f=h > On 20 Aug 2025, at 13:56, Rene Malmgren <rene.malmgren@xxxxxxxxxxx> wrote: > > Ok I should be clearer here, yes there are merges, but explain to me how a merge conflict would remove the two critical flags. I am not talking about surface here. I am talking about a clear step by step analysis, that shows how the flags got removed. > > /Rene > ________________________________ > From: Stuart Henderson <stu@xxxxxxxxxxxxxxx> > Sent: Wednesday, August 20, 2025 3:07 PM > To: Rene Malmgren <rene.malmgren@xxxxxxxxxxx> > Cc: openssh-unix-dev@xxxxxxxxxxx <openssh-unix-dev@xxxxxxxxxxx> > Subject: Re: Followup on Inquiry about regreSSHion postmortem > > On 2025/08/20 10:41, Rene Malmgren wrote: >> Actually, there is no evidence in the available data that such a merge even has happened > > This is simply the way that cross-platform OpenSSH commits are done: > > - they are first made to OpenBSD's CVS tree > > - then they are later merged to openssh-portable git with an "upstream: > XX" comment and OpenBSD-Commit-ID line (with the RCS ID line synced with > that from the OpenBSD tree in the commit) > > there is plenty of evidence of this, and nothing on the surface unusual > about this merge commit compared with others > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
