Date: Wed, 26 Jun 2002 17:28:14 -0400 From: Travis Cole <kelp@plek.org> To: freebsd-security@freebsd.org Subject: Re: Wow Message-ID: <20020626212812.GA55744@ainaz.pair.com> In-Reply-To: <20020626202057.GA7152@zot.electricrain.com> References: <20020626121754.F8071@mail.seattleFenix.net> <200206261919.g5QJJLLI018466@cvs.openbsd.org> <20020626202057.GA7152@zot.electricrain.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 26, 2002 at 01:20:57PM -0700, Chris Doherty wrote: > At some point, Theo de Raadt said: > > I've barely slept in a week. > > for myself with my one machine, I'm just annoyed. if I had gone through > this bullshit on 40 machines, when I could have just modified a config > file, I'd be pissed, and rightfully so. > > but, *shrug*. I'll not give such credence to vague warnings in the > future--lesson learned. Well, the fact is they just released 5600 lines of fixes and such for OpenSSH. ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1-vs-openbsd.diff.gz Thats a big patch. And Theo has said there are probably other holes in there. I think I trust him on that. I've watched the OpenBSD and OpenSSH projects for a long time, and because of that I have some idea how things operate. They often fix issues that may or may have lead to a working exploit. They fix bugs. Bugs can cause security holes. OpenSSH 3.4 has a *LOT* of bug fixes. And the PrivSep does reduce the chances of any still existing bugs causing real security issues. http://www.citi.umich.edu/u/provos/ssh/privsep.html Its a good idea to upgrade to 3.4. I've got 300 boxes that will be upgraded soon. Most of them are running pre-3.0 SSH versions. I'm upgrading anyway. -- -tcole To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020626212812.GA55744>