Date: Wed, 26 Jun 2002 18:12:43 -0400 From: Travis Cole <kelp@plek.org> To: "Jacques A. Vidrine" <nectar@FreeBSD.ORG> Cc: Mike Tancsa <mike@sentex.net>, Darren Reed <avalon@coombs.anu.edu.au>, freebsd-security@FreeBSD.ORG Subject: Re: OpenSSH Advisory (was Re: Much ado about nothing.) Message-ID: <20020626221240.GB58339@ainaz.pair.com> In-Reply-To: <20020626152613.GD65700@madman.nectar.cc> References: <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <20020626152613.GD65700@madman.nectar.cc>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 26, 2002 at 10:26:13AM -0500, Jacques A. Vidrine wrote: > On Wed, Jun 26, 2002 at 11:10:44AM -0400, Mike Tancsa wrote: > > OK, but 2.9.9... is that really the same as FreeBSD's > > > > SSH-1.99-OpenSSH_2.9 FreeBSD localisations 20020307 > > No, 2.9.9 is vulnerable; FreeBSD's 2.9 is not. > > [snip] > > This would imply there is a work around, but the talk before hand > [snip] > deraadt> Bullshit. > > I know. I think people reading this list already know my opinion on > the issue. I'm just happy that it's all out in the open now. I think Theo had good reasons for not talking about the work around. Had he mentioned either version numbers or ChallengeResponseAuthentication it would have immediately tipped off the blackhats. The most major change between 2.9 and 2.9.9 was the ChallengeResponse stuff. Thats like 400 lines of code. That makes the game much easier for the blackhats. And even though the workaround is very quick to apply, we all know its not always that simple. It takes time for that sort of information to spread, and you can always run out and change configurations immediately. And what if you actualy use ChallengeResponseAuthentication? If they had told us about ChallengeResponse earlier, then anyone who depended on ChallengeResponse would be screwed. -- -tcole To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020626221240.GB58339>