From owner-freebsd-security  Wed Jun 26 10: 4:15 2002
Delivered-To: freebsd-security@freebsd.org
Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100])
	by hub.freebsd.org (Postfix) with ESMTP id 4BF5737B401
	for <freebsd-security@FreeBSD.ORG>; Wed, 26 Jun 2002 10:04:09 -0700 (PDT)
Received: from famine.cs.utah.edu (famine.cs.utah.edu [155.99.198.114])
	by wrath.cs.utah.edu (8.11.6/8.11.6) with ESMTP id g5QH48L23375;
	Wed, 26 Jun 2002 11:04:08 -0600 (MDT)
Received: by famine.cs.utah.edu (Postfix, from userid 2146)
	id 0CE1523AA8; Wed, 26 Jun 2002 11:04:07 -0600 (MDT)
Date: Wed, 26 Jun 2002 11:04:07 -0600
From: "David G . Andersen" <danderse@cs.utah.edu>
To: Brett Glass <brett@lariat.org>
Cc: Attila Nagy <bra@fsn.hu>, freebsd-security@FreeBSD.ORG
Subject: Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory)
Message-ID: <20020626110407.B22168@cs.utah.edu>
References: <4.3.2.7.2.20020626103956.02291aa0@localhost> <4.3.2.7.2.20020626101626.02274c80@localhost> <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <4.3.2.7.2.20020626101626.02274c80@localhost> <4.3.2.7.2.20020626103956.02291aa0@localhost> <Pine.LNX.4.44.0206261845200.16380-100000@scribble.fsn.hu> <4.3.2.7.2.20020626105413.02275240@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2i
In-Reply-To: <4.3.2.7.2.20020626105413.02275240@localhost>; from brett@lariat.org on Wed, Jun 26, 2002 at 10:56:46AM -0600
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Brett Glass just mooed:
> 
> >Ppl, before you are going crazy, think a little.
> >Theo did you a favor when he released his letter. Why? Because now all of
> >you are using privsep, 
> 
> Alas, Theo's letter said that people had until July 1 to implement
> PrivSep before the details of the bug were revealed. Since many admins 
> can't take whole farms of production machines down during the week, I know 
> of several who were planning to implement PrivSep this coming weekend. 
> The early announcement by ISS has put them and their organizations at risk.

  bullshit.  there's a one line workaround for this bug.  If this were
something that actually required an immediate major version upgrade,
then Theo's handling of it would have been good.  But with a one-line
configuration file change that can fix things until admins have time
to test and deploy a hugely new ssh version, his actions were beyond
stupid.

  -dave

-- 
work: dga@lcs.mit.edu                          me:  dga@pobox.com
      MIT Laboratory for Computer Science           http://www.angio.net/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message