From owner-freebsd-security Mon Jun 24 17:53:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 353E037B401 for ; Mon, 24 Jun 2002 17:53:19 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id C12BD3A; Mon, 24 Jun 2002 19:53:18 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g5P0rIiD043445; Mon, 24 Jun 2002 19:53:18 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g5P0rIqT043444; Mon, 24 Jun 2002 19:53:18 -0500 (CDT) Date: Mon, 24 Jun 2002 19:53:18 -0500 From: "Jacques A. Vidrine" To: Theo de Raadt Cc: freebsd-security@FreeBSD.ORG Subject: Re: Hogwash Message-ID: <20020625005318.GB43386@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Theo de Raadt , freebsd-security@FreeBSD.ORG References: <200206242327.g5ONRBLI012690@cvs.openbsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200206242327.g5ONRBLI012690@cvs.openbsd.org> User-Agent: Mutt/1.4i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 24, 2002 at 05:27:11PM -0600, Theo de Raadt wrote: > > Nobody is `in' on the bug. The OpenSSH team has given details to no > > one so far, so we are assured to be blindsided. I'm afraid security > > contacts with various projects and vendors know no more than what was > > said in the bugtraq posting. > > Bullshit. You are reacting to my `blindsided' comment. The rest is factual, AFAIK, and your comments below seem to underline that. > You have been told to move up to privsep so that you are immunized by > the time the bug is released. > > If you fail to immunize your users, then the best you can do is tell > them to disable OpenSSH until 3.4 is out early next week with the > bugfix in it. Of course, then the bug will be public. > > I am not nearly naive enough to believe that we can release a patch > for this issue to any vendor, and have it not leak immediately. Still, we'll all be much more at ease once all the cards are on the table. I appreciate that you are trying to prepare users, but forgive me if I don't agree that witholding the details is the best approach. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message