Date: Wed, 26 Jun 2002 11:04:07 -0600 From: "David G . Andersen" <danderse@cs.utah.edu> To: Brett Glass <brett@lariat.org> Cc: Attila Nagy <bra@fsn.hu>, freebsd-security@FreeBSD.ORG Subject: Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory) Message-ID: <20020626110407.B22168@cs.utah.edu> In-Reply-To: <4.3.2.7.2.20020626105413.02275240@localhost>; from brett@lariat.org on Wed, Jun 26, 2002 at 10:56:46AM -0600 References: <4.3.2.7.2.20020626103956.02291aa0@localhost> <4.3.2.7.2.20020626101626.02274c80@localhost> <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <4.3.2.7.2.20020626101626.02274c80@localhost> <4.3.2.7.2.20020626103956.02291aa0@localhost> <Pine.LNX.4.44.0206261845200.16380-100000@scribble.fsn.hu> <4.3.2.7.2.20020626105413.02275240@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
Brett Glass just mooed: > > >Ppl, before you are going crazy, think a little. > >Theo did you a favor when he released his letter. Why? Because now all of > >you are using privsep, > > Alas, Theo's letter said that people had until July 1 to implement > PrivSep before the details of the bug were revealed. Since many admins > can't take whole farms of production machines down during the week, I know > of several who were planning to implement PrivSep this coming weekend. > The early announcement by ISS has put them and their organizations at risk. bullshit. there's a one line workaround for this bug. If this were something that actually required an immediate major version upgrade, then Theo's handling of it would have been good. But with a one-line configuration file change that can fix things until admins have time to test and deploy a hugely new ssh version, his actions were beyond stupid. -dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020626110407.B22168>