Date: Mon, 24 Jun 2002 22:18:19 -0400 (EDT) From: Robert Watson <rwatson@freebsd.org> To: peter.lai@uconn.edu Cc: Chris BeHanna <behanna@zbzoom.net>, FreeBSD Security <security@freebsd.org>, deraadt@cvs.openbsd.org Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) Message-ID: <Pine.NEB.3.96L.1020624221349.43916G-100000@fledge.watson.org> In-Reply-To: <20020624220229.A92101@cowbert.2y.net>
next in thread | previous in thread | raw e-mail | index | archive | help
We're in the process of merging OpenSSH 3.3 into -CURRENT, and will do the same for -STABLE shortly as well. In order to do this and maintain PAM support, we'll be jumping from the base OpenSSH distribution to the OpenSSH-portable distribution, which includes support for PAM (as PAM is not used in OpenBSD). Because 5.0-CURRENT uses OpenPAM rather than Linux-PAM, we'll need to do a little testing and make sure the adaptation works properly in combination with Privilege Seperation. You should see commit messages from this merge-work over the next couple of days. It's not yet clear how we should handle OpenSSH and the various RELENG_4_X branches; it might depend a bit on the complexity of the merge work and the nature of the vulnerability once vulnerability information is published. Typically for patch levels on released versions, we've adopted a highly conservative approach for security bug fixes, avoiding complex and risky changes and leaning in a more minimal direction. Obviously which way we go on that one will depend on the nature of the vulnerability. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories On Mon, 24 Jun 2002, Peter C. Lai wrote: > Is OpenSSH 3.3 now part of the base system? So are we phasing out > ssh as part of the base system (since the answer to the first > question is no, and therefore only the portable versions > have privsep available)? Again, we don't know if > older versions of ssh are vulnerable or not. I suppose > this notice is great for those on the bleeding edge, but > doesn't help the rest of the majority of users, who probably > *aren't* running 3.3. The freebsd security-officer tries > to help the general cross-section of the users, not just > the few who run the latest and greatest. > > On Mon, Jun 24, 2002 at 09:35:06PM -0400, Chris BeHanna wrote: > > Although I sympathize with the desire to be able to make informed > > decisions regarding older versions of supported software that's in the > > field, I have to say that I side with Theo here: We're being warned that > > a critical exploit will be published in a few days, along with the > > simultaneous release of a version of the software that fixes the bug > > that leads to the exploit, AND we're being told how to immunize > > ourselves against the exploit--using currently-available > > software--several days in advance of the announcement. > > > > Result: it's possible to completely prevent the window of > > vulnerability that usually exists between the announcement of an > > exploit and the availability of a fix for same. Any other way > > *guarantees* that there will be a leak prior to the bugfix release, > > causing more than a few folks to get burned by the exploit before they > > get a chance to read their mail and learn how to enable the workaround. > > In a perfect world, Theo could publicize the exploit without fear of > > it being used to burn people prior to their learning how to use the > > workaround. But in a perfect world, we wouldn't need OpenSSH. > > > > Thank you, Theo. > > > > -- > > Chris BeHanna > > Software Engineer (Remove "bogus" before responding.) > > behanna@bogus.zbzoom.net > > Turning coffee into software since 1990. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > Peter C. Lai > University of Connecticut > Dept. of Molecular and Cell Biology | Undergraduate Research Assistant > http://cowbert.2y.net/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1020624221349.43916G-100000>