Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 26 Jun 2002 11:04:07 -0600
From:      "David G . Andersen" <danderse@cs.utah.edu>
To:        Brett Glass <brett@lariat.org>
Cc:        Attila Nagy <bra@fsn.hu>, freebsd-security@FreeBSD.ORG
Subject:   Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory)
Message-ID:  <20020626110407.B22168@cs.utah.edu>
In-Reply-To: <4.3.2.7.2.20020626105413.02275240@localhost>; from brett@lariat.org on Wed, Jun 26, 2002 at 10:56:46AM -0600
References:  <4.3.2.7.2.20020626103956.02291aa0@localhost> <4.3.2.7.2.20020626101626.02274c80@localhost> <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <4.3.2.7.2.20020626101626.02274c80@localhost> <4.3.2.7.2.20020626103956.02291aa0@localhost> <Pine.LNX.4.44.0206261845200.16380-100000@scribble.fsn.hu> <4.3.2.7.2.20020626105413.02275240@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help 
Brett Glass just mooed:
> 
> >Ppl, before you are going crazy, think a little.
> >Theo did you a favor when he released his letter. Why? Because now all of
> >you are using privsep, 
> 
> Alas, Theo's letter said that people had until July 1 to implement
> PrivSep before the details of the bug were revealed. Since many admins 
> can't take whole farms of production machines down during the week, I know 
> of several who were planning to implement PrivSep this coming weekend. 
> The early announcement by ISS has put them and their organizations at risk.

  bullshit.  there's a one line workaround for this bug.  If this were
something that actually required an immediate major version upgrade,
then Theo's handling of it would have been good.  But with a one-line
configuration file change that can fix things until admins have time
to test and deploy a hugely new ssh version, his actions were beyond
stupid.

  -dave

-- 
work: dga@lcs.mit.edu                          me:  dga@pobox.com
      MIT Laboratory for Computer Science           http://www.angio.net/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020626110407.B22168>