Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd)

From: Jason Stone (jason-fbsd-security@shalott.net)
Date: 06/25/02


Date: Mon, 24 Jun 2002 18:50:23 -0700 (PDT)
From: Jason Stone <jason-fbsd-security@shalott.net>
To: FreeBSD Security <security@freebsd.org>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Although I sympathize with the desire to be able to make informed
> decisions regarding older versions of supported software that's in the
> field, I have to say that I side with Theo here: We're being warned that
> a critical exploit will be published in a few days, along with the
> simultaneous release of a version of the software that fixes the bug
> that leads to the exploit, AND we're being told how to immunize
> ourselves against the exploit--using currently-available
> software--several days in advance of the announcement.

1) The problem for us is that we're still using openssh-2.x in -STABLE, so
privelege separation isn't an really an option.

2) Privelege separaration, while a great idea, is not the same as there
being no bug - there is still an exploitable bug in the openssh code.
And it seems to me that much time is being wasted pointing fingers about
why vendors aren't helping with privelege separation; stop complaining
about vendors and fix the bugs in your code.

3) If the openssh team has discovered the bug, the black hats have already
discovered it as well. Delaying publication only gives the blackhats
notice that they'd better hack as many systems as they can before the fix
comes out. Release now and let the community help you fix the bug (since
apparently it's so complicated that you can't fix it right away on your
own...).

 -Jason

 -----------------------------------------------------------------------
 I worry about my child and the Internet all the time, even though she's
 too young to have logged on yet. Here's what I worry about. I worry
 that 10 or 15 years from now, she will come to me and say "Daddy, where
 were you when they took freedom of the press away from the Internet?"
        -- Mike Godwin

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg

iD8DBQE9F8xfswXMWWtptckRAiVUAJ9UlKcwpvWhciUgw0jta7R/IXnFkQCgmNqQ
7JlLP+gHMHcfDDX2KI4oJjk=
=Q8o7
-----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd)
    ... >> decisions regarding older versions of supported software that's in the ... > privelege separation isn't an really an option. ... > being no bug - there is still an exploitable bug in the openssh code. ... > about vendors and fix the bugs in your code. ...
    (FreeBSD-Security)
  • Re: kernel (64bit) 4GB memory support
    ... >> Ok don't worry about trying to isolate it, there should be a fix for it by ... patch is immediately available you may open a bug on bugzilla.kernel.org, ... send the line "unsubscribe linux-kernel" in ...
    (Linux-Kernel)
  • [Un] Unangband 0.6.3 released
    ... Allow player to assemble friendly monsters and carry eggs to hatch ... Updated druidic spells to use new region code. ... Fix lockup bugs generating the Old Forest. ... Fix bug where items dropped by monster death would infinitely ...
    (rec.games.roguelike.announce)
  • please pull from the trivial tree
    ... Fix spelling in E1000_DISABLE_PACKET_SPLIT Kconfig description ... +- Finding patch that caused a bug ... +Always try the latest kernel from kernel.org and build from source. ... Length of input string in bytes ...
    (Linux-Kernel)
  • Subterrane v0.194 Alpha Released
    ... system, a character sheet, a ton of new spells, new monsters, item ... Added a character sheet that displays your character's ... Fix: Fixed a bug in the encumbrance calculation and status display ...
    (rec.games.roguelike.announce)