Users of FreeBSD releases should upgrade OpenSSH too (Was: The "race" that Theo sought to avoid...)

From: Brett Glass (brett@lariat.org)
Date: 06/26/02


Date: Wed, 26 Jun 2002 12:01:29 -0600
To: Bosko Milekic <bmilekic@unixdaemons.com>
From: Brett Glass <brett@lariat.org>

At 11:24 AM 6/26/2002, Bosko Milekic wrote:

> I think that what you're saying is reasonable, however, I know (now
> almost for a fact) that there was an exploit going around already.

In that case, the correct thing to do would have been to warn that
turning on Privilege Separation was urgent because the bug was
being exploited. That way, people who had planned upgrades for
the weekend would not have been blindsided.

> So,
> it's better than the information has been released sooner, than later.
> And, since it appears that the OpenSSH that ships with our -STABLE is
> not affected, all the easier this is for those of us who were in the
> middle of implementing "drastic measures" (for fear of the worst), as
> it allows us to step back, relax, and enjoy the fireworks.

Don't do that. When the OpenSSH team fixed the bug that ISS found, it
also nuked some other bugs. Some of these may have been present in 2.9,
and they'll now be obvious to black hats. (Nice, clean, color-coded
diffs that can be generated automatically via the CVS Web interface.)
So, users of FreeBSD releases (or -STABLE, -CURRENT, or release
engineering snapshots) should not rest easy. An upgrade to 3.4 is
mandatory for everyone.

--Brett

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: [kde-linux] Am I Alone?
    ... please file a bug report. ... What's NOT fine is them saying everything is hunky dory, ... WE'RE TALKING POTENTIALLY SOMEONE'S BANK CONNECTION HERE!! ... Now all that's perfectly acceptable for a beta product, but KDE 4 isn't ...
    (KDE)
  • Re: [kde-linux] Am I Alone?
    ... please file a bug report. ... Which browser, which version, and which kde version? ... What's NOT fine is them saying everything is hunky dory, ... WE'RE TALKING POTENTIALLY SOMEONE'S BANK CONNECTION HERE!! ...
    (KDE)
  • Re: [kde] kdeprint in kde 4
    ... bug. ... I was just here saying I ... I've been doing Linux long emough to know that if the dog ate it ... I know the drill, fix and compile/compile and change, mod and hack or be patient ...
    (KDE)
  • Re: Grammar check impossible in french
    ... That's like saying "The cure to a flickering light is to switch it off." ... Unchecking Spelling and Grammar as you type simply switches off the spell ... If you want to carry on saying "It's a bug" then go ahead. ... For those who are following along, Sthan better HOPE it's not a bug. ...
    (microsoft.public.mac.office.word)
  • ADA/C interfaces: type representations uncontrollable in C
    ... That seems like a bug. ... I should start by saying that I think the compiler I witnessed this on ... The pragma convention anomaly I've noticed relates to enums, ... What I don't understand is how GNAT can give the user representation ...
    (comp.lang.ada)