Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 25 Jun 2002 00:49:11 -0400 (EDT)
From:      "Michael Richards" <michael@fastmail.ca>
To:        security@FreeBSD.ORG
Subject:   Re: Upcoming OpenSSH vulnerability 
Message-ID:  <3D17F647.000045.31912@ns.interchange.ca>
next in thread | raw e-mail | index | archive | help 

--------------Boundary-00=_Z1W8O2D1VX7NTT4D7TH0
Content-Type: Text/Plain
Content-Transfer-Encoding: 7bit

Does anyone feel like they're being held over a barrel and forced to 
take something being told that it's good for them? Perhaps this new 
privledge separation thing is good but since it seems to be really 
new and neither well tested nor well integrated into any of the OSes 
it seems like something I'd rather not be taking uninformed.

After reviewing the code of the new 3.3.1p I've located a very simple 
yet obscure root exploit for this new version that everyone is 
blindly rushing to install because someone says there is a hole in 
the old one. Everyone is being rushed because someone wants to break 
into all the systems and install OpenBSD on them while we're asleep. 
I'm not going to tell anyone about this new exploit because then 
someone _else_ will probably fix it. 

Pretty silly huh? Maybe we should turn the internet off until the end 
of the week so all the sysadmins can patch their stuff. 

As someone else suggested, if this secret patch is really so 
important to keep crackers from coming up with their own exploits, 
why not just compile a bunch of binaries and distribute them. I'd be 
more thank happy to donate some CPU time toward this cause. Having 
said this, at some point source will have to be made public that 
fixes this bug. Or is the issue more than only one individual knows 
about it and as a result there is one person working to patch it?

-Michael
_________________________________________________________________
    http://fastmail.ca/ - Fast Secure Web Email for Canadians
--------------Boundary-00=_Z1W8O2D1VX7NTT4D7TH0--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D17F647.000045.31912>