Users of FreeBSD releases should upgrade OpenSSH too (Was: The "race" that Theo sought to avoid...)
From: Brett Glass (brett@lariat.org)
Date: 06/26/02
- Next message: Andrew Kenneth Milton: "Re: Users of FreeBSD releases should upgrade OpenSSH too (Was: The "race" that Theo sought to avoid...)"
- Previous message: Pete Ehlke: "Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory)"
- In reply to: Bosko Milekic: "Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory)"
- Next in thread: Andrew Kenneth Milton: "Re: Users of FreeBSD releases should upgrade OpenSSH too (Was: The "race" that Theo sought to avoid...)"
- Reply: Andrew Kenneth Milton: "Re: Users of FreeBSD releases should upgrade OpenSSH too (Was: The "race" that Theo sought to avoid...)"
- Reply: William Wallace: "RE: Users of FreeBSD releases should upgrade OpenSSH too (Was: The "race" that Theo sought to avoid...)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 26 Jun 2002 12:01:29 -0600 To: Bosko Milekic <bmilekic@unixdaemons.com> From: Brett Glass <brett@lariat.org>
At 11:24 AM 6/26/2002, Bosko Milekic wrote:
> I think that what you're saying is reasonable, however, I know (now
> almost for a fact) that there was an exploit going around already.
In that case, the correct thing to do would have been to warn that
turning on Privilege Separation was urgent because the bug was
being exploited. That way, people who had planned upgrades for
the weekend would not have been blindsided.
> So,
> it's better than the information has been released sooner, than later.
> And, since it appears that the OpenSSH that ships with our -STABLE is
> not affected, all the easier this is for those of us who were in the
> middle of implementing "drastic measures" (for fear of the worst), as
> it allows us to step back, relax, and enjoy the fireworks.
Don't do that. When the OpenSSH team fixed the bug that ISS found, it
also nuked some other bugs. Some of these may have been present in 2.9,
and they'll now be obvious to black hats. (Nice, clean, color-coded
diffs that can be generated automatically via the CVS Web interface.)
So, users of FreeBSD releases (or -STABLE, -CURRENT, or release
engineering snapshots) should not rest easy. An upgrade to 3.4 is
mandatory for everyone.
--Brett
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Andrew Kenneth Milton: "Re: Users of FreeBSD releases should upgrade OpenSSH too (Was: The "race" that Theo sought to avoid...)"
- Previous message: Pete Ehlke: "Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory)"
- In reply to: Bosko Milekic: "Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory)"
- Next in thread: Andrew Kenneth Milton: "Re: Users of FreeBSD releases should upgrade OpenSSH too (Was: The "race" that Theo sought to avoid...)"
- Reply: Andrew Kenneth Milton: "Re: Users of FreeBSD releases should upgrade OpenSSH too (Was: The "race" that Theo sought to avoid...)"
- Reply: William Wallace: "RE: Users of FreeBSD releases should upgrade OpenSSH too (Was: The "race" that Theo sought to avoid...)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
