From owner-freebsd-security  Mon Jun 24 18:56:15 2002
Delivered-To: freebsd-security@freebsd.org
Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3])
	by hub.freebsd.org (Postfix) with ESMTP id 27F0337B400
	for <security@freebsd.org>; Mon, 24 Jun 2002 18:56:09 -0700 (PDT)
Received: from cvs.openbsd.org (deraadt@localhost [127.0.0.1])
	by cvs.openbsd.org (8.12.4/8.12.1) with ESMTP id g5P1upLJ029822;
	Mon, 24 Jun 2002 19:56:51 -0600 (MDT)
Message-Id: <200206250156.g5P1upLJ029822@cvs.openbsd.org>
To: Jason Stone <jason-fbsd-security@shalott.net>
Cc: FreeBSD Security <security@freebsd.org>
Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) 
In-reply-to: Your message of "Mon, 24 Jun 2002 18:50:23 PDT."
             <20020624183837.P40482-100000@walter> 
Date: Mon, 24 Jun 2002 19:56:51 -0600
From: Theo de Raadt <deraadt@cvs.openbsd.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> >     Although I sympathize with the desire to be able to make informed
> > decisions regarding older versions of supported software that's in the
> > field, I have to say that I side with Theo here:  We're being warned that
> > a critical exploit will be published in a few days, along with the
> > simultaneous release of a version of the software that fixes the bug
> > that leads to the exploit, AND we're being told how to immunize
> > ourselves against the exploit--using currently-available
> > software--several days in advance of the announcement.

You are misinformed; the sky is not pink.

> 1) The problem for us is that we're still using openssh-2.x in -STABLE, so
> privelege separation isn't an really an option.

Fine.  Then turn sshd off.

> 2) Privelege separaration, while a great idea, is not the same as there
> being no bug - there is still an exploitable bug in the openssh code.

Fine.  So turn sshd off.

> And it seems to me that much time is being wasted pointing fingers about
> why vendors aren't helping with privelege separation; stop complaining
> about vendors and fix the bugs in your code.

Jason is begging that I release a patch tomorrow.  What do you the
rest of you think?  Do you wish to be immunized first or should we
just post a patch, and have a public exploit a day later?

> 3) If the openssh team has discovered the bug, the black hats have already
> discovered it as well.

Maybe they have, maybe they have not.  But it isn't published yet.

> Delaying publication only gives the blackhats
> notice that they'd better hack as many systems as they can before the fix
> comes out.

If they have it.  Sure, fine.  Blackhats -- shalott.net is a good target.

> Release now and let the community help you fix the bug (since
> apparently it's so complicated that you can't fix it right away on your
> own...).

It took about 3 minutes for the first rev.

Apparently you have a comprehension difficulty.  I urge you to go back
and re-read what I posted to lots of lists.  Perhaps some other people
can help you.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message