Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd)
From: Peter C. Lai (sirmoo@cowbert.2y.net)
Date: 06/25/02
- Next message: Brett Glass: "Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd)"
- Previous message: Theo de Raadt: "Re: Hogwash"
- In reply to: Chris BeHanna: "Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd)"
- Next in thread: Robert Watson: "Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd)"
- Reply: Robert Watson: "Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd)"
- Reply: Michael Nottebrock: "Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 24 Jun 2002 22:02:29 -0400 From: "Peter C. Lai" <sirmoo@cowbert.2y.net> To: Chris BeHanna <behanna@zbzoom.net>
Is OpenSSH 3.3 now part of the base system? So are we phasing out
ssh as part of the base system (since the answer to the first
question is no, and therefore only the portable versions
have privsep available)? Again, we don't know if
older versions of ssh are vulnerable or not. I suppose
this notice is great for those on the bleeding edge, but
doesn't help the rest of the majority of users, who probably
*aren't* running 3.3. The freebsd security-officer tries
to help the general cross-section of the users, not just
the few who run the latest and greatest.
On Mon, Jun 24, 2002 at 09:35:06PM -0400, Chris BeHanna wrote:
> Although I sympathize with the desire to be able to make informed
> decisions regarding older versions of supported software that's in the
> field, I have to say that I side with Theo here: We're being warned that
> a critical exploit will be published in a few days, along with the
> simultaneous release of a version of the software that fixes the bug
> that leads to the exploit, AND we're being told how to immunize
> ourselves against the exploit--using currently-available
> software--several days in advance of the announcement.
>
> Result: it's possible to completely prevent the window of
> vulnerability that usually exists between the announcement of an
> exploit and the availability of a fix for same. Any other way
> *guarantees* that there will be a leak prior to the bugfix release,
> causing more than a few folks to get burned by the exploit before they
> get a chance to read their mail and learn how to enable the workaround.
> In a perfect world, Theo could publicize the exploit without fear of
> it being used to burn people prior to their learning how to use the
> workaround. But in a perfect world, we wouldn't need OpenSSH.
>
> Thank you, Theo.
>
> --
> Chris BeHanna
> Software Engineer (Remove "bogus" before responding.)
> behanna@bogus.zbzoom.net
> Turning coffee into software since 1990.
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
-- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
- Next message: Brett Glass: "Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd)"
- Previous message: Theo de Raadt: "Re: Hogwash"
- In reply to: Chris BeHanna: "Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd)"
- Next in thread: Robert Watson: "Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd)"
- Reply: Robert Watson: "Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd)"
- Reply: Michael Nottebrock: "Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
