Date: Wed, 26 Jun 2002 12:49:14 -0400 From: Mike Tancsa <mike@sentex.net> To: Brett Glass <brett@lariat.org>, Darren Reed <avalon@coombs.anu.edu.au> Cc: freebsd-security@FreeBSD.ORG Subject: Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory) Message-ID: <5.1.0.14.0.20020626124711.053ff7c8@marble.sentex.ca> In-Reply-To: <4.3.2.7.2.20020626101626.02274c80@localhost> References: <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
I really dont want to get into what was intended and the politics of when what was released etc. Thats best on another list. I only wanted to get as much clarity on how to either upgrade or work around the security issue in an expedient and safe manner relevant for my network. ---Mike At 10:23 AM 26/06/2002 -0600, Brett Glass wrote: >Mike: > >It is clear that Theo was attempting to have people apply the workaround >which had the least chance of revealing the nature of the bug in advance, >lest it be discovered by others and exploited. > >It's truly sad that ISS, which knew about Theo's advisory, released this >information today, instead of next week as Theo asked them to. If Theo's >roadmap for disclosure had been followed, more administrators could have >been informed about the bug, and they would have had time to take >preventive measures through the weekend before the skript kiddies began >their race to exploit the bug. Now, the race has begun. In fact, the >problem has been exacerbated because administrators who *could* have >secured their systems thought they'd have time to do so over the weekend. > >Theo made a worthy attempt to minimize harm (which should be the goal of >any security policy). It's a shame that ISS sought the spotlight instead >of doing the same. > >--Brett Glass > >At 09:10 AM 6/26/2002, Mike Tancsa wrote: > > >>Also, the ISS advisory states >> >>"Administrators can remove this vulnerability by disabling the >>Challenge-Response authentication parameter within the OpenSSH daemon >>configuration file. This filename and path is typically: >>/etc/ssh/sshd_config. To disable this parameter, locate the corresponding >>line and change it to the line below: ChallengeResponseAuthentication no " >> >>This would imply there is a work around, but the talk before hand >> >>----quote from Message-Id: <200206242327.g5ONRBLI012690@cvs.openbsd.org>--- >> >>Bullshit. >> >>You have been told to move up to privsep so that you are immunized by >>the time the bug is released. >> >>If you fail to immunize your users, then the best you can do is tell >>them to disable OpenSSH until 3.4 is out early next week with the >>bugfix in it. Of course, then the bug will be public. >>----end-quote--- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20020626124711.053ff7c8>