From owner-freebsd-security Mon Jun 24 18:35:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-203.zoominternet.net [24.154.28.203]) by hub.freebsd.org (Postfix) with ESMTP id 2F10637B409 for ; Mon, 24 Jun 2002 18:35:28 -0700 (PDT) Received: from topperwein (topperwein [192.168.168.10]) by topperwein.dyndns.org (8.12.3/8.12.3) with ESMTP id g5P1ZBLq007407; Mon, 24 Jun 2002 21:35:11 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Mon, 24 Jun 2002 21:35:06 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: FreeBSD Security Cc: deraadt@cvs.openbsd.org Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) In-Reply-To: <20020624163538.H10398-100000@yez.hyperreal.org> Message-ID: <20020624212557.R7245-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Although I sympathize with the desire to be able to make informed decisions regarding older versions of supported software that's in the field, I have to say that I side with Theo here: We're being warned that a critical exploit will be published in a few days, along with the simultaneous release of a version of the software that fixes the bug that leads to the exploit, AND we're being told how to immunize ourselves against the exploit--using currently-available software--several days in advance of the announcement. Result: it's possible to completely prevent the window of vulnerability that usually exists between the announcement of an exploit and the availability of a fix for same. Any other way *guarantees* that there will be a leak prior to the bugfix release, causing more than a few folks to get burned by the exploit before they get a chance to read their mail and learn how to enable the workaround. In a perfect world, Theo could publicize the exploit without fear of it being used to burn people prior to their learning how to use the workaround. But in a perfect world, we wouldn't need OpenSSH. Thank you, Theo. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net Turning coffee into software since 1990. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message