Date: Thu, 27 Jun 2002 10:20:27 +1000 (Australia/ACT) From: Darren Reed <avalon@coombs.anu.edu.au> To: kelp@plek.org (Travis Cole) Cc: freebsd-security@FreeBSD.ORG Subject: Re: Wow Message-ID: <200206270020.KAA09424@caligula.anu.edu.au> In-Reply-To: <20020626212812.GA55744@ainaz.pair.com> from "Travis Cole" at Jun 26, 2002 05:28:14 PM
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Travis Cole, sie said: > > On Wed, Jun 26, 2002 at 01:20:57PM -0700, Chris Doherty wrote: > > At some point, Theo de Raadt said: > > > I've barely slept in a week. > > > > for myself with my one machine, I'm just annoyed. if I had gone through > > this bullshit on 40 machines, when I could have just modified a config > > file, I'd be pissed, and rightfully so. > > > > but, *shrug*. I'll not give such credence to vague warnings in the > > future--lesson learned. > > Well, the fact is they just released 5600 lines of fixes and such > for OpenSSH. Theo said they reviewed ~5600 lines of code, not made 5600 lines of fixes. > Thats a big patch. That's a big difference to what you said. > And Theo has said there are probably other holes in there. I think I > trust him on that. But he doesn't know. Doesn't that alarm you? Aren't you concerned that if they don't know if other holes were there, waiting, that they could easily add in more new ones? Just like they did when they added this one in 2.9.9? [...] > They fix bugs. Bugs can cause security holes. They also introduce bugs. Some of these bugs have caused security holes. [...] > And the PrivSep does reduce the chances of any still existing > bugs causing real security issues. Which begs the question, why is it disabled by default, at all ? Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206270020.KAA09424>