Date: Wed, 26 Jun 2002 12:47:11 -0500 From: Pete Ehlke <pde@rfc822.net> To: freebsd-security@FreeBSD.ORG Subject: Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory) Message-ID: <20020626174711.GB89844@rfc822.net> In-Reply-To: <4.3.2.7.2.20020626101626.02274c80@localhost> References: <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <4.3.2.7.2.20020626101626.02274c80@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 26, 2002 at 10:23:14AM -0600, Brett Glass wrote: > Mike: > > It is clear that Theo was attempting to have people apply the workaround > which had the least chance of revealing the nature of the bug in advance, > lest it be discovered by others and exploited. > > It's truly sad that ISS, which knew about Theo's advisory, released this > information today, instead of next week as Theo asked them to. If Theo's > roadmap for disclosure had been followed, more administrators could have > been informed about the bug, and they would have had time to take > preventive measures through the weekend before the skript kiddies began > their race to exploit the bug. Now, the race has begun. In fact, the > problem has been exacerbated because administrators who *could* have > secured their systems thought they'd have time to do so over the weekend. > ISS have claimed to me in private mail that Bugtraq sat on the advisory for some 30 hours, and that during that 30 hour period, ISS and the openssh team, specifically including Theo, agreed to bring forward the announcement date. Given the timing of the initial announcement's appearance on various lists, I'm inclined to believe them about the first part of that claim. The second part, especially given ISS' history of appearing to be more concerned with being first to market with advisories than with responsible vendor notification, is open to fairly serious debate until Theo or someone else from openssh comments. Given the pace of events this week, though, it's certainly not out of the question. But then, none of this belongs on -security, anyway ;) -P. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020626174711.GB89844>