Date: Mon, 24 Jun 2002 22:02:29 -0400 From: "Peter C. Lai" <sirmoo@cowbert.2y.net> To: Chris BeHanna <behanna@zbzoom.net> Cc: FreeBSD Security <security@freebsd.org>, deraadt@cvs.openbsd.org Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) Message-ID: <20020624220229.A92101@cowbert.2y.net> In-Reply-To: <20020624212557.R7245-100000@topperwein.dyndns.org>; from behanna@zbzoom.net on Mon, Jun 24, 2002 at 09:35:06PM -0400 References: <20020624163538.H10398-100000@yez.hyperreal.org> <20020624212557.R7245-100000@topperwein.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Is OpenSSH 3.3 now part of the base system? So are we phasing out ssh as part of the base system (since the answer to the first question is no, and therefore only the portable versions have privsep available)? Again, we don't know if older versions of ssh are vulnerable or not. I suppose this notice is great for those on the bleeding edge, but doesn't help the rest of the majority of users, who probably *aren't* running 3.3. The freebsd security-officer tries to help the general cross-section of the users, not just the few who run the latest and greatest. On Mon, Jun 24, 2002 at 09:35:06PM -0400, Chris BeHanna wrote: > Although I sympathize with the desire to be able to make informed > decisions regarding older versions of supported software that's in the > field, I have to say that I side with Theo here: We're being warned that > a critical exploit will be published in a few days, along with the > simultaneous release of a version of the software that fixes the bug > that leads to the exploit, AND we're being told how to immunize > ourselves against the exploit--using currently-available > software--several days in advance of the announcement. > > Result: it's possible to completely prevent the window of > vulnerability that usually exists between the announcement of an > exploit and the availability of a fix for same. Any other way > *guarantees* that there will be a leak prior to the bugfix release, > causing more than a few folks to get burned by the exploit before they > get a chance to read their mail and learn how to enable the workaround. > In a perfect world, Theo could publicize the exploit without fear of > it being used to burn people prior to their learning how to use the > workaround. But in a perfect world, we wouldn't need OpenSSH. > > Thank you, Theo. > > -- > Chris BeHanna > Software Engineer (Remove "bogus" before responding.) > behanna@bogus.zbzoom.net > Turning coffee into software since 1990. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020624220229.A92101>