Re: Hogwash

From: Theo de Raadt (deraadt@cvs.openbsd.org)
Date: 06/25/02


To: Sean Kelly <smkelly@zombie.org>
Date: Mon, 24 Jun 2002 21:32:26 -0600
From: Theo de Raadt <deraadt@cvs.openbsd.org>

This one is clearly different. We have a tool which can avoid people being
holed, without having to publish a patch.

If you don't understand that, please go back and study the situation more.

By holding this information back for a few more days, we are
permitting a very important protocol to be upgraded in an immune way,
OR YOU CAN TURN IT OFF NOW.

> On Mon, Jun 24, 2002 at 08:03:08PM -0600, Theo de Raadt wrote:
> > I'm not giving away any hints. Assume the worst and do the upgrade,
> > and if you dislike the way I handled this, don't buy me that beer
> > later.
>
> I'm just curious when this OpenBSD policy change took effect. According to
> http://www.openbsd.org/security.html#disclosure:
>
> Full Disclosure
> Like many readers of the BUGTRAQ mailing list, we believe in
> full disclosure of security problems. In the operating system
> arena, we were probably the first to embrace the concept. Many
> vendors, even of free software, still try to hide issues from
> their users.
>
> Security information moves very fast in cracker circles. On the
> other hand, our experience is that coding and releasing of
> proper security fixes typically requires about an hour of work
> -- very fast fix turnaround is possible. Thus we think that
> full disclosure helps the people who really care about
> security.
>
> Not all of us are in the position to use cutting edge OpenSSH-portable
> versions. By you holding back this information, you are only hurting those
> who *CAN'T* upgrade to your latest and greatest. Has there actually been
> enough testing of privsep to say that it contains no bugs? It seems to me
> that we'd all be better off if you just released a diff and let us all fix
> our own wounds.
>
> --
> Sean Kelly | PGP KeyID: 77042C7B
> smkelly@zombie.org | http://www.zombie.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: To Anyone who has Internet Explorer Installed or any other browser (Everybody)
    ... >> patch the affected versions. ... This much is known about Microsoft: ... when they do, it is often as a part of a forced "upgrade", ... DRM scheme than to build in fundamental flaws, ...
    (alt.computer.security)
  • Re: Challenge in software distribution
    ... It was something like what you are doing I was thinking of, but was kind of hoping to avoid as I have a couple of tousand objects defined already, and was hoping to avoid doubling those.... ... switch to perform an upgrade. ... > didn't install the first version. ... > recoqnizes if the advertisement was invoked by the useror is ...
    (microsoft.public.sms.swdist)
  • Re: Liveupgrade and ZFS: Not for workstations!
    ... I can't use live upgrade to ... Or you can create a new BE and patch that, ... If I'm adding patches that don't require single user mode or a reboot, I just take s snapshot of the pool and patch. ... second disk for one reason or another. ...
    (comp.unix.solaris)
  • Re: Patching Solaris 9 systems to "current"
    ... patch bundle onto them. ... and in some ways better approach is to do an upgrade ... time for a reboot, with another reboot to back out. ... additional disks to hand). ...
    (comp.unix.solaris)
  • Re: NETcf 2.0 SP1 Installation
    ... NETCFSetupv2.msp is not a patch for VS, but a patch for RTM version of ... If you have NETCF V2 RTM installed, you could upgrade to SP1 Beta by ... either using this MSP patch or by uninstalling RTM MSI and installing SP1 ...
    (microsoft.public.dotnet.framework.compactframework)