From owner-freebsd-security  Mon Jun 24 18:35:33 2002
Delivered-To: freebsd-security@freebsd.org
Received: from topperwein.dyndns.org (acs-24-154-28-203.zoominternet.net [24.154.28.203])
	by hub.freebsd.org (Postfix) with ESMTP id 2F10637B409
	for <security@freebsd.org>; Mon, 24 Jun 2002 18:35:28 -0700 (PDT)
Received: from topperwein (topperwein [192.168.168.10])
	by topperwein.dyndns.org (8.12.3/8.12.3) with ESMTP id g5P1ZBLq007407;
	Mon, 24 Jun 2002 21:35:11 -0400 (EDT)
	(envelope-from behanna@zbzoom.net)
Date: Mon, 24 Jun 2002 21:35:06 -0400 (EDT)
From: Chris BeHanna <behanna@zbzoom.net>
Reply-To: Chris BeHanna <behanna@zbzoom.net>
To: FreeBSD Security <security@freebsd.org>
Cc: deraadt@cvs.openbsd.org
Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd)
In-Reply-To: <20020624163538.H10398-100000@yez.hyperreal.org>
Message-ID: <20020624212557.R7245-100000@topperwein.dyndns.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

    Although I sympathize with the desire to be able to make informed
decisions regarding older versions of supported software that's in the
field, I have to say that I side with Theo here:  We're being warned that
a critical exploit will be published in a few days, along with the
simultaneous release of a version of the software that fixes the bug
that leads to the exploit, AND we're being told how to immunize
ourselves against the exploit--using currently-available
software--several days in advance of the announcement.

    Result:  it's possible to completely prevent the window of
vulnerability that usually exists between the announcement of an
exploit and the availability of a fix for same.  Any other way
*guarantees* that there will be a leak prior to the bugfix release,
causing more than a few folks to get burned by the exploit before they
get a chance to read their mail and learn how to enable the workaround.
In a perfect world, Theo could publicize the exploit without fear of
it being used to burn people prior to their learning how to use the
workaround.  But in a perfect world, we wouldn't need OpenSSH.

    Thank you, Theo.

-- 
Chris BeHanna
Software Engineer                   (Remove "bogus" before responding.)
behanna@bogus.zbzoom.net
                 Turning coffee into software since 1990.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message