Date: Mon, 24 Jun 2002 21:35:06 -0400 (EDT) From: Chris BeHanna <behanna@zbzoom.net> To: FreeBSD Security <security@freebsd.org> Cc: deraadt@cvs.openbsd.org Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) Message-ID: <20020624212557.R7245-100000@topperwein.dyndns.org> In-Reply-To: <20020624163538.H10398-100000@yez.hyperreal.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Although I sympathize with the desire to be able to make informed
decisions regarding older versions of supported software that's in the
field, I have to say that I side with Theo here: We're being warned that
a critical exploit will be published in a few days, along with the
simultaneous release of a version of the software that fixes the bug
that leads to the exploit, AND we're being told how to immunize
ourselves against the exploit--using currently-available
software--several days in advance of the announcement.
Result: it's possible to completely prevent the window of
vulnerability that usually exists between the announcement of an
exploit and the availability of a fix for same. Any other way
*guarantees* that there will be a leak prior to the bugfix release,
causing more than a few folks to get burned by the exploit before they
get a chance to read their mail and learn how to enable the workaround.
In a perfect world, Theo could publicize the exploit without fear of
it being used to burn people prior to their learning how to use the
workaround. But in a perfect world, we wouldn't need OpenSSH.
Thank you, Theo.
--
Chris BeHanna
Software Engineer (Remove "bogus" before responding.)
behanna@bogus.zbzoom.net
Turning coffee into software since 1990.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020624212557.R7245-100000>