Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory)

From: Pete Ehlke (pde@rfc822.net)
Date: 06/26/02


Date: Wed, 26 Jun 2002 12:47:11 -0500
From: Pete Ehlke <pde@rfc822.net>
To: freebsd-security@FreeBSD.ORG

On Wed, Jun 26, 2002 at 10:23:14AM -0600, Brett Glass wrote:
> Mike:
>
> It is clear that Theo was attempting to have people apply the workaround
> which had the least chance of revealing the nature of the bug in advance,
> lest it be discovered by others and exploited.
>
> It's truly sad that ISS, which knew about Theo's advisory, released this
> information today, instead of next week as Theo asked them to. If Theo's
> roadmap for disclosure had been followed, more administrators could have
> been informed about the bug, and they would have had time to take
> preventive measures through the weekend before the skript kiddies began
> their race to exploit the bug. Now, the race has begun. In fact, the
> problem has been exacerbated because administrators who *could* have
> secured their systems thought they'd have time to do so over the weekend.
>
ISS have claimed to me in private mail that Bugtraq sat on the advisory for
some 30 hours, and that during that 30 hour period, ISS and the openssh
team, specifically including Theo, agreed to bring forward the
announcement date. Given the timing of the initial announcement's
appearance on various lists, I'm inclined to believe them about the
first part of that claim. The second part, especially given ISS' history
of appearing to be more concerned with being first to market with
advisories than with responsible vendor notification, is open to fairly
serious debate until Theo or someone else from openssh comments. Given
the pace of events this week, though, it's certainly not out of the
question.

But then, none of this belongs on -security, anyway ;)

-P.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages