Date: Mon, 24 Jun 2002 19:56:51 -0600 From: Theo de Raadt <deraadt@cvs.openbsd.org> To: Jason Stone <jason-fbsd-security@shalott.net> Cc: FreeBSD Security <security@freebsd.org> Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) Message-ID: <200206250156.g5P1upLJ029822@cvs.openbsd.org> In-Reply-To: Your message of "Mon, 24 Jun 2002 18:50:23 PDT." <20020624183837.P40482-100000@walter>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Although I sympathize with the desire to be able to make informed > > decisions regarding older versions of supported software that's in the > > field, I have to say that I side with Theo here: We're being warned that > > a critical exploit will be published in a few days, along with the > > simultaneous release of a version of the software that fixes the bug > > that leads to the exploit, AND we're being told how to immunize > > ourselves against the exploit--using currently-available > > software--several days in advance of the announcement. You are misinformed; the sky is not pink. > 1) The problem for us is that we're still using openssh-2.x in -STABLE, so > privelege separation isn't an really an option. Fine. Then turn sshd off. > 2) Privelege separaration, while a great idea, is not the same as there > being no bug - there is still an exploitable bug in the openssh code. Fine. So turn sshd off. > And it seems to me that much time is being wasted pointing fingers about > why vendors aren't helping with privelege separation; stop complaining > about vendors and fix the bugs in your code. Jason is begging that I release a patch tomorrow. What do you the rest of you think? Do you wish to be immunized first or should we just post a patch, and have a public exploit a day later? > 3) If the openssh team has discovered the bug, the black hats have already > discovered it as well. Maybe they have, maybe they have not. But it isn't published yet. > Delaying publication only gives the blackhats > notice that they'd better hack as many systems as they can before the fix > comes out. If they have it. Sure, fine. Blackhats -- shalott.net is a good target. > Release now and let the community help you fix the bug (since > apparently it's so complicated that you can't fix it right away on your > own...). It took about 3 minutes for the first rev. Apparently you have a comprehension difficulty. I urge you to go back and re-read what I posted to lots of lists. Perhaps some other people can help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206250156.g5P1upLJ029822>