Date: Wed, 26 Jun 2002 10:23:14 -0600 From: Brett Glass <brett@lariat.org> To: Mike Tancsa <mike@sentex.net>, Darren Reed <avalon@coombs.anu.edu.au> Cc: freebsd-security@FreeBSD.ORG Subject: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory) Message-ID: <4.3.2.7.2.20020626101626.02274c80@localhost> In-Reply-To: <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> References: <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike: It is clear that Theo was attempting to have people apply the workaround which had the least chance of revealing the nature of the bug in advance, lest it be discovered by others and exploited. It's truly sad that ISS, which knew about Theo's advisory, released this information today, instead of next week as Theo asked them to. If Theo's roadmap for disclosure had been followed, more administrators could have been informed about the bug, and they would have had time to take preventive measures through the weekend before the skript kiddies began their race to exploit the bug. Now, the race has begun. In fact, the problem has been exacerbated because administrators who *could* have secured their systems thought they'd have time to do so over the weekend. Theo made a worthy attempt to minimize harm (which should be the goal of any security policy). It's a shame that ISS sought the spotlight instead of doing the same. --Brett Glass At 09:10 AM 6/26/2002, Mike Tancsa wrote: >Also, the ISS advisory states > >"Administrators can remove this vulnerability by disabling the >Challenge-Response authentication parameter within the OpenSSH daemon >configuration file. This filename and path is typically: >/etc/ssh/sshd_config. To disable this parameter, locate the >corresponding line and change it to the line below: >ChallengeResponseAuthentication no " > >This would imply there is a work around, but the talk before hand > >----quote from Message-Id: <200206242327.g5ONRBLI012690@cvs.openbsd.org>--- > >Bullshit. > >You have been told to move up to privsep so that you are immunized by >the time the bug is released. > >If you fail to immunize your users, then the best you can do is tell >them to disable OpenSSH until 3.4 is out early next week with the >bugfix in it. Of course, then the bug will be public. >----end-quote--- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20020626101626.02274c80>