From owner-freebsd-security Thu Jun 27 0: 6:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from tesla.distributel.net (nat.MTL.distributel.NET [66.38.181.24]) by hub.freebsd.org (Postfix) with ESMTP id 988FF37B414 for ; Thu, 27 Jun 2002 00:05:57 -0700 (PDT) Received: (from bmilekic@localhost) by tesla.distributel.net (8.11.6/8.11.6) id g5QJcw443983 for freebsd-security@FreeBSD.ORG; Wed, 26 Jun 2002 15:38:58 -0400 (EDT) (envelope-from bmilekic@unixdaemons.com) Date: Wed, 26 Jun 2002 15:38:58 -0400 From: Bosko Milekic To: freebsd-security@FreeBSD.ORG Subject: Re: Wow [OpenSSH solutions] Message-ID: <20020626153858.A43920@unixdaemons.com> References: <200206261741.g5QHf3LI027927@cvs.openbsd.org> <867kklaneg.fsf@blade-runner.mit.edu> <1025118105.443.8.camel@ech.maverik.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <1025118105.443.8.camel@ech.maverik.com>; from tstevenson@maverik.com on Wed, Jun 26, 2002 at 01:01:45PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Folks, Please stop this _now_. We really don't need to see any of this anymore and what's happening, as a result, is that those folks who are stuck having to weed through this thread to find the actual solution can no longer do that effectively, because it is cluttered with people complaining about this and that. While I understand frustrations from all different angles, and while it would be wrong for me to argue that those frustrations are unreasonable, we need to compromise and let things slide. Let's suck it up here and make, if anything, one act that benefits the community as a whole. There was a problem with OpenSSH, it may or may not have been perfectly handled, but what happened happened. And now we have to move on. freebsd-security, your options are: 1) If you run -STABLE, and you _really_ cannot upgrade for some reason to OpenSSH 3.4, staying with the version in -STABLE should be OK for what concerns this particular problem; consider allocating the resources for that upgrade Real Soon Now, though. If you insist, stay where you are, and I'm sure we'll be getting something from the security-officer suggesting to follow with option (2) below; If you're running -CURRENT, go to option (2) immediately. 2) Upgrade to 3.4, not only does it properly solve the problem ISS and the OpenSSH team has warned us about, but it also solves several other issues that may be related to security. It's the new version, it's production, and it's what anyone who has the resources should move to, now that we know the nature of the problem. Trust me, this can be done fairly easily. You can even install into an isolated target directory and make appropriate [temporary] symlinks until 3.4 is properly imported, at which point you can remove the symlinks and use the imported version, if you so desire. Again, I understand that resources were probably allotted to dealing with this problem and that some of them may have been avoidable. But things are the way they are and a solution _has_ been provided now, so continued complaints will not help the situation anymore, at all. Discussing the what, how, and where at this point is redundant. Thank you all in advance for your cooperation and thank you to the OpenSSH team for 3.4, despite all differences in opinion regarding the way in which it came about. Best regards, -- Bosko Milekic bmilekic@unixdaemons.com bmilekic@FreeBSD.org P.S.: If anyone cares to keep the discussion going for some reason, let's move it to -chat. No need to start any additional threads on -security. Thanks! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message