Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd)

From: Jason Stone (
Date: 06/25/02

Date: Mon, 24 Jun 2002 18:50:23 -0700 (PDT)
From: Jason Stone <>
To: FreeBSD Security <>

Hash: SHA1

> Although I sympathize with the desire to be able to make informed
> decisions regarding older versions of supported software that's in the
> field, I have to say that I side with Theo here: We're being warned that
> a critical exploit will be published in a few days, along with the
> simultaneous release of a version of the software that fixes the bug
> that leads to the exploit, AND we're being told how to immunize
> ourselves against the exploit--using currently-available
> software--several days in advance of the announcement.

1) The problem for us is that we're still using openssh-2.x in -STABLE, so
privelege separation isn't an really an option.

2) Privelege separaration, while a great idea, is not the same as there
being no bug - there is still an exploitable bug in the openssh code.
And it seems to me that much time is being wasted pointing fingers about
why vendors aren't helping with privelege separation; stop complaining
about vendors and fix the bugs in your code.

3) If the openssh team has discovered the bug, the black hats have already
discovered it as well. Delaying publication only gives the blackhats
notice that they'd better hack as many systems as they can before the fix
comes out. Release now and let the community help you fix the bug (since
apparently it's so complicated that you can't fix it right away on your


 I worry about my child and the Internet all the time, even though she's
 too young to have logged on yet. Here's what I worry about. I worry
 that 10 or 15 years from now, she will come to me and say "Daddy, where
 were you when they took freedom of the press away from the Internet?"
        -- Mike Godwin

Version: GnuPG v1.0.6 (FreeBSD)
Comment: See


To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message