From owner-freebsd-security Mon Jun 24 19:18:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 11D3437B403 for ; Mon, 24 Jun 2002 19:18:25 -0700 (PDT) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.12.3/8.12.3) with SMTP id g5P2IJw6048632; Mon, 24 Jun 2002 22:18:19 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Mon, 24 Jun 2002 22:18:19 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: peter.lai@uconn.edu Cc: Chris BeHanna , FreeBSD Security , deraadt@cvs.openbsd.org Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) In-Reply-To: <20020624220229.A92101@cowbert.2y.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org We're in the process of merging OpenSSH 3.3 into -CURRENT, and will do the same for -STABLE shortly as well. In order to do this and maintain PAM support, we'll be jumping from the base OpenSSH distribution to the OpenSSH-portable distribution, which includes support for PAM (as PAM is not used in OpenBSD). Because 5.0-CURRENT uses OpenPAM rather than Linux-PAM, we'll need to do a little testing and make sure the adaptation works properly in combination with Privilege Seperation. You should see commit messages from this merge-work over the next couple of days. It's not yet clear how we should handle OpenSSH and the various RELENG_4_X branches; it might depend a bit on the complexity of the merge work and the nature of the vulnerability once vulnerability information is published. Typically for patch levels on released versions, we've adopted a highly conservative approach for security bug fixes, avoiding complex and risky changes and leaning in a more minimal direction. Obviously which way we go on that one will depend on the nature of the vulnerability. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories On Mon, 24 Jun 2002, Peter C. Lai wrote: > Is OpenSSH 3.3 now part of the base system? So are we phasing out > ssh as part of the base system (since the answer to the first > question is no, and therefore only the portable versions > have privsep available)? Again, we don't know if > older versions of ssh are vulnerable or not. I suppose > this notice is great for those on the bleeding edge, but > doesn't help the rest of the majority of users, who probably > *aren't* running 3.3. The freebsd security-officer tries > to help the general cross-section of the users, not just > the few who run the latest and greatest. > > On Mon, Jun 24, 2002 at 09:35:06PM -0400, Chris BeHanna wrote: > > Although I sympathize with the desire to be able to make informed > > decisions regarding older versions of supported software that's in the > > field, I have to say that I side with Theo here: We're being warned that > > a critical exploit will be published in a few days, along with the > > simultaneous release of a version of the software that fixes the bug > > that leads to the exploit, AND we're being told how to immunize > > ourselves against the exploit--using currently-available > > software--several days in advance of the announcement. > > > > Result: it's possible to completely prevent the window of > > vulnerability that usually exists between the announcement of an > > exploit and the availability of a fix for same. Any other way > > *guarantees* that there will be a leak prior to the bugfix release, > > causing more than a few folks to get burned by the exploit before they > > get a chance to read their mail and learn how to enable the workaround. > > In a perfect world, Theo could publicize the exploit without fear of > > it being used to burn people prior to their learning how to use the > > workaround. But in a perfect world, we wouldn't need OpenSSH. > > > > Thank you, Theo. > > > > -- > > Chris BeHanna > > Software Engineer (Remove "bogus" before responding.) > > behanna@bogus.zbzoom.net > > Turning coffee into software since 1990. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > Peter C. Lai > University of Connecticut > Dept. of Molecular and Cell Biology | Undergraduate Research Assistant > http://cowbert.2y.net/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message