From owner-freebsd-security Mon Jun 24 19: 2:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id 8CB1737B400 for ; Mon, 24 Jun 2002 19:02:30 -0700 (PDT) Received: (qmail 92208 invoked by uid 1001); 25 Jun 2002 02:02:29 -0000 Date: Mon, 24 Jun 2002 22:02:29 -0400 From: "Peter C. Lai" To: Chris BeHanna Cc: FreeBSD Security , deraadt@cvs.openbsd.org Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) Message-ID: <20020624220229.A92101@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <20020624163538.H10398-100000@yez.hyperreal.org> <20020624212557.R7245-100000@topperwein.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020624212557.R7245-100000@topperwein.dyndns.org>; from behanna@zbzoom.net on Mon, Jun 24, 2002 at 09:35:06PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is OpenSSH 3.3 now part of the base system? So are we phasing out ssh as part of the base system (since the answer to the first question is no, and therefore only the portable versions have privsep available)? Again, we don't know if older versions of ssh are vulnerable or not. I suppose this notice is great for those on the bleeding edge, but doesn't help the rest of the majority of users, who probably *aren't* running 3.3. The freebsd security-officer tries to help the general cross-section of the users, not just the few who run the latest and greatest. On Mon, Jun 24, 2002 at 09:35:06PM -0400, Chris BeHanna wrote: > Although I sympathize with the desire to be able to make informed > decisions regarding older versions of supported software that's in the > field, I have to say that I side with Theo here: We're being warned that > a critical exploit will be published in a few days, along with the > simultaneous release of a version of the software that fixes the bug > that leads to the exploit, AND we're being told how to immunize > ourselves against the exploit--using currently-available > software--several days in advance of the announcement. > > Result: it's possible to completely prevent the window of > vulnerability that usually exists between the announcement of an > exploit and the availability of a fix for same. Any other way > *guarantees* that there will be a leak prior to the bugfix release, > causing more than a few folks to get burned by the exploit before they > get a chance to read their mail and learn how to enable the workaround. > In a perfect world, Theo could publicize the exploit without fear of > it being used to burn people prior to their learning how to use the > workaround. But in a perfect world, we wouldn't need OpenSSH. > > Thank you, Theo. > > -- > Chris BeHanna > Software Engineer (Remove "bogus" before responding.) > behanna@bogus.zbzoom.net > Turning coffee into software since 1990. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message