From owner-freebsd-security  Wed Jun 26 18:19:21 2002
Delivered-To: freebsd-security@freebsd.org
Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42])
	by hub.freebsd.org (Postfix) with ESMTP id 63E4837CCE2
	for <freebsd-security@FreeBSD.ORG>; Wed, 26 Jun 2002 17:20:33 -0700 (PDT)
Received: (from avalon@localhost)
	by caligula.anu.edu.au (8.9.3/8.9.3) id KAA09424;
	Thu, 27 Jun 2002 10:20:27 +1000 (EST)
From: Darren Reed <avalon@coombs.anu.edu.au>
Message-Id: <200206270020.KAA09424@caligula.anu.edu.au>
Subject: Re: Wow
To: kelp@plek.org (Travis Cole)
Date: Thu, 27 Jun 2002 10:20:27 +1000 (Australia/ACT)
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <20020626212812.GA55744@ainaz.pair.com> from "Travis Cole" at Jun 26, 2002 05:28:14 PM
X-Mailer: ELM [version 2.5 PL1]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

In some mail from Travis Cole, sie said:
> 
> On Wed, Jun 26, 2002 at 01:20:57PM -0700, Chris Doherty wrote:
> > At some point, Theo de Raadt said:
> > > I've barely slept in a week.
> > 
> > for myself with my one machine, I'm just annoyed. if I had gone through
> > this bullshit on 40 machines, when I could have just modified a config
> > file, I'd be pissed, and rightfully so.
> >
> > but, *shrug*. I'll not give such credence to vague warnings in the
> > future--lesson learned.
> 
> Well, the fact is they just released 5600 lines of fixes and such
> for OpenSSH.

Theo said they reviewed ~5600 lines of code, not made 5600 lines of fixes.

> Thats a big patch.

That's a big difference to what you said.

> And Theo has said there are probably other holes in there.  I think I
> trust him on that.

But he doesn't know.  Doesn't that alarm you?

Aren't you concerned that if they don't know if other holes were
there, waiting, that they could easily add in more new ones?

Just like they did when they added this one in 2.9.9?

[...]
> They fix bugs.  Bugs can cause security holes.

They also introduce bugs.  Some of these bugs have caused security holes.

[...]
> And the PrivSep does reduce the chances of any still existing
> bugs causing real security issues.

Which begs the question, why is it disabled by default, at all ?

Darren

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message