Date: Wed, 26 Jun 2002 12:01:29 -0600 From: Brett Glass <brett@lariat.org> To: Bosko Milekic <bmilekic@unixdaemons.com> Cc: freebsd-security@FreeBSD.ORG Subject: Users of FreeBSD releases should upgrade OpenSSH too (Was: The "race" that Theo sought to avoid...) Message-ID: <4.3.2.7.2.20020626115517.022108b0@localhost> In-Reply-To: <20020626132416.A42340@unixdaemons.com> References: <4.3.2.7.2.20020626101626.02274c80@localhost> <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <4.3.2.7.2.20020626101626.02274c80@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
At 11:24 AM 6/26/2002, Bosko Milekic wrote: > I think that what you're saying is reasonable, however, I know (now > almost for a fact) that there was an exploit going around already. In that case, the correct thing to do would have been to warn that turning on Privilege Separation was urgent because the bug was being exploited. That way, people who had planned upgrades for the weekend would not have been blindsided. > So, > it's better than the information has been released sooner, than later. > And, since it appears that the OpenSSH that ships with our -STABLE is > not affected, all the easier this is for those of us who were in the > middle of implementing "drastic measures" (for fear of the worst), as > it allows us to step back, relax, and enjoy the fireworks. Don't do that. When the OpenSSH team fixed the bug that ISS found, it also nuked some other bugs. Some of these may have been present in 2.9, and they'll now be obvious to black hats. (Nice, clean, color-coded diffs that can be generated automatically via the CVS Web interface.) So, users of FreeBSD releases (or -STABLE, -CURRENT, or release engineering snapshots) should not rest easy. An upgrade to 3.4 is mandatory for everyone. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20020626115517.022108b0>