Date: Thu, 27 Jun 2002 13:36:59 +0930 From: Wincent Colaiuta <wincentcolaiuta@mac.com> To: Theo de Raadt <deraadt@cvs.openbsd.org>, freebsd-security@freebsd.org Subject: Re: Wow (or, How Theo should have handled it) Message-ID: <53E21546-8983-11D6-BE6B-003065C60B4C@mac.com> In-Reply-To: <200206261919.g5QJJLLI018466@cvs.openbsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
El Thursday, 27 June, 2002, a las 04:49 AM, Theo de Raadt escribió: >> * Theo de Raadt (deraadt@cvs.openbsd.org) [020626 12:02]: >>> We also did 5600 lines of further security auditing work over the last >>> week. We're fairly convinced that some of the things we changed are >>> relevant as well. ie. more holes. >>> >>> And that is commited in 3.4 >> >> Theo, >> >> When will we see an advisory and/or patches for older versions >> regarding >> the other holes that you have uncovered? > > You won't. > > I've barely slept in a week. > > So many of you are being totally unreasonable people. Great. That's just what I want... a rushed 3.4 release which contains 5600 lines of code "audited" by a team of sleep-deprived zombies. (joking... I do appreciate your efforts, Theo). Seriously, Theo, the best thing you could've done would have been to fully disclose the original bug in the challenge/response code and the one-line fix (turn off challenge/response auth), and told people two things: firstly, that patches were being worked on; and secondly, that 3.4 was on the way soon and that it would be desirable to upgrade to that and activate priv separation so as to better cope with future potential holes. Unfortunately, the way you DID handle it created a furore and upset an awful lot of people who spent hours and hours undergoing a rushed and complicated upgrade procedure on dozens or even hundreds of boxes, when they probably would've preferred to apply the one-line workaround and upgrade to 3.4 in a more reasonable time-frame (ie. an orderly, planned upgrade; not an rushed, emergency one). To make matters worse many of these people were using a version of OpenSSH that did not contain the vulnerability (remember, this is a FreeBSD list here). Thanks once again for your work, Theo. I just wish things had gone a little bit more smoothly! Regards Wincent To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53E21546-8983-11D6-BE6B-003065C60B4C>