From owner-freebsd-security Wed Jun 26 21:11:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtpout.mac.com (smtpout.mac.com [204.179.120.85]) by hub.freebsd.org (Postfix) with ESMTP id 7AE8937B443 for ; Wed, 26 Jun 2002 21:07:07 -0700 (PDT) Received: from smtp-relay02.mac.com (smtp-relay02-en1 [10.13.10.225]) by smtpout.mac.com (8.12.1/8.10.2/1.0) with ESMTP id g5R476fd014706 for ; Wed, 26 Jun 2002 21:07:06 -0700 (PDT) Received: from asmtp01.mac.com (asmtp01-qfe3 [10.13.10.65]) by smtp-relay02.mac.com (8.12.1/8.12.1/1.0) with ESMTP id g5R476rE022845 for ; Wed, 26 Jun 2002 21:07:06 -0700 (PDT) Received: from localhost ([202.45.118.100]) by asmtp01.mac.com (Netscape Messaging Server 4.15) with ESMTP id GYCJFT00.73E; Wed, 26 Jun 2002 21:07:05 -0700 Date: Thu, 27 Jun 2002 13:36:59 +0930 Subject: Re: Wow (or, How Theo should have handled it) Content-Type: text/plain; charset=ISO-8859-1; format=flowed Mime-Version: 1.0 (Apple Message framework v482) From: Wincent Colaiuta To: Theo de Raadt , freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable In-Reply-To: <200206261919.g5QJJLLI018466@cvs.openbsd.org> Message-Id: <53E21546-8983-11D6-BE6B-003065C60B4C@mac.com> X-Mailer: Apple Mail (2.482) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org El Thursday, 27 June, 2002, a las 04:49 AM, Theo de Raadt escribi=F3: >> * Theo de Raadt (deraadt@cvs.openbsd.org) [020626 12:02]: >>> We also did 5600 lines of further security auditing work over the = last >>> week. We're fairly convinced that some of the things we changed are >>> relevant as well. ie. more holes. >>> >>> And that is commited in 3.4 >> >> Theo, >> >> When will we see an advisory and/or patches for older versions=20 >> regarding >> the other holes that you have uncovered? > > You won't. > > I've barely slept in a week. > > So many of you are being totally unreasonable people. Great. That's just what I want... a rushed 3.4 release which contains=20 5600 lines of code "audited" by a team of sleep-deprived zombies.=20 (joking... I do appreciate your efforts, Theo). Seriously, Theo, the best thing you could've done would have been to=20 fully disclose the original bug in the challenge/response code and the=20= one-line fix (turn off challenge/response auth), and told people two=20 things: firstly, that patches were being worked on; and secondly, that=20= 3.4 was on the way soon and that it would be desirable to upgrade to=20 that and activate priv separation so as to better cope with future=20 potential holes. Unfortunately, the way you DID handle it created a furore and upset an=20= awful lot of people who spent hours and hours undergoing a rushed and=20 complicated upgrade procedure on dozens or even hundreds of boxes, when=20= they probably would've preferred to apply the one-line workaround and=20 upgrade to 3.4 in a more reasonable time-frame (ie. an orderly, planned=20= upgrade; not an rushed, emergency one). To make matters worse many of=20 these people were using a version of OpenSSH that did not contain the=20 vulnerability (remember, this is a FreeBSD list here). Thanks once again for your work, Theo. I just wish things had gone a=20 little bit more smoothly! Regards Wincent To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message