Re: Hogwash

From: Theo de Raadt (deraadt@cvs.openbsd.org)
Date: 06/25/02


To: Sean Kelly <smkelly@zombie.org>
Date: Mon, 24 Jun 2002 21:32:26 -0600
From: Theo de Raadt <deraadt@cvs.openbsd.org>

This one is clearly different. We have a tool which can avoid people being
holed, without having to publish a patch.

If you don't understand that, please go back and study the situation more.

By holding this information back for a few more days, we are
permitting a very important protocol to be upgraded in an immune way,
OR YOU CAN TURN IT OFF NOW.

> On Mon, Jun 24, 2002 at 08:03:08PM -0600, Theo de Raadt wrote:
> > I'm not giving away any hints. Assume the worst and do the upgrade,
> > and if you dislike the way I handled this, don't buy me that beer
> > later.
>
> I'm just curious when this OpenBSD policy change took effect. According to
> http://www.openbsd.org/security.html#disclosure:
>
> Full Disclosure
> Like many readers of the BUGTRAQ mailing list, we believe in
> full disclosure of security problems. In the operating system
> arena, we were probably the first to embrace the concept. Many
> vendors, even of free software, still try to hide issues from
> their users.
>
> Security information moves very fast in cracker circles. On the
> other hand, our experience is that coding and releasing of
> proper security fixes typically requires about an hour of work
> -- very fast fix turnaround is possible. Thus we think that
> full disclosure helps the people who really care about
> security.
>
> Not all of us are in the position to use cutting edge OpenSSH-portable
> versions. By you holding back this information, you are only hurting those
> who *CAN'T* upgrade to your latest and greatest. Has there actually been
> enough testing of privsep to say that it contains no bugs? It seems to me
> that we'd all be better off if you just released a diff and let us all fix
> our own wounds.
>
> --
> Sean Kelly | PGP KeyID: 77042C7B
> smkelly@zombie.org | http://www.zombie.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: To Anyone who has Internet Explorer Installed or any other browser (Everybody)
    ... >> patch the affected versions. ... This much is known about Microsoft: ... when they do, it is often as a part of a forced "upgrade", ... DRM scheme than to build in fundamental flaws, ...
    (alt.computer.security)
  • Re: Liveupgrade and ZFS: Not for workstations!
    ... I can't use live upgrade to ... Or you can create a new BE and patch that, ... If I'm adding patches that don't require single user mode or a reboot, I just take s snapshot of the pool and patch. ... second disk for one reason or another. ...
    (comp.unix.solaris)
  • Re: Challenge in software distribution
    ... It was something like what you are doing I was thinking of, but was kind of hoping to avoid as I have a couple of tousand objects defined already, and was hoping to avoid doubling those.... ... switch to perform an upgrade. ... > didn't install the first version. ... > recoqnizes if the advertisement was invoked by the useror is ...
    (microsoft.public.sms.swdist)
  • Re: Patching Solaris 9 systems to "current"
    ... patch bundle onto them. ... and in some ways better approach is to do an upgrade ... time for a reboot, with another reboot to back out. ... additional disks to hand). ...
    (comp.unix.solaris)
  • Re: Patching Solaris 9 systems to "current"
    ... patch bundle onto them. ... and in some ways better approach is to do an upgrade ... time for a reboot, with another reboot to back out. ... additional disks to hand). ...
    (comp.unix.solaris)