Date: Wed, 26 Jun 2002 12:49:14 -0400 From: Mike Tancsa <mike@sentex.net> To: Brett Glass <brett@lariat.org>, Darren Reed <avalon@coombs.anu.edu.au> Cc: freebsd-security@FreeBSD.ORG Subject: Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory) Message-ID: <5.1.0.14.0.20020626124711.053ff7c8@marble.sentex.ca> In-Reply-To: <4.3.2.7.2.20020626101626.02274c80@localhost> References: <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
I really dont want to get into what was intended and the politics of when
what was released etc. Thats best on another list. I only wanted to get as
much clarity on how to either upgrade or work around the security issue in
an expedient and safe manner relevant for my network.
---Mike
At 10:23 AM 26/06/2002 -0600, Brett Glass wrote:
>Mike:
>
>It is clear that Theo was attempting to have people apply the workaround
>which had the least chance of revealing the nature of the bug in advance,
>lest it be discovered by others and exploited.
>
>It's truly sad that ISS, which knew about Theo's advisory, released this
>information today, instead of next week as Theo asked them to. If Theo's
>roadmap for disclosure had been followed, more administrators could have
>been informed about the bug, and they would have had time to take
>preventive measures through the weekend before the skript kiddies began
>their race to exploit the bug. Now, the race has begun. In fact, the
>problem has been exacerbated because administrators who *could* have
>secured their systems thought they'd have time to do so over the weekend.
>
>Theo made a worthy attempt to minimize harm (which should be the goal of
>any security policy). It's a shame that ISS sought the spotlight instead
>of doing the same.
>
>--Brett Glass
>
>At 09:10 AM 6/26/2002, Mike Tancsa wrote:
>
>
>>Also, the ISS advisory states
>>
>>"Administrators can remove this vulnerability by disabling the
>>Challenge-Response authentication parameter within the OpenSSH daemon
>>configuration file. This filename and path is typically:
>>/etc/ssh/sshd_config. To disable this parameter, locate the corresponding
>>line and change it to the line below: ChallengeResponseAuthentication no "
>>
>>This would imply there is a work around, but the talk before hand
>>
>>----quote from Message-Id: <200206242327.g5ONRBLI012690@cvs.openbsd.org>---
>>
>>Bullshit.
>>
>>You have been told to move up to privsep so that you are immunized by
>>the time the bug is released.
>>
>>If you fail to immunize your users, then the best you can do is tell
>>them to disable OpenSSH until 3.4 is out early next week with the
>>bugfix in it. Of course, then the bug will be public.
>>----end-quote---
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20020626124711.053ff7c8>