Date: Mon, 24 Jun 2002 20:25:01 -0600 From: Theo de Raadt <deraadt@cvs.openbsd.org> To: Brian Nelson <notgod@notgod.com> Cc: Jason Stone <jason-fbsd-security@shalott.net>, FreeBSD Security <security@FreeBSD.ORG> Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability Message-ID: <200206250225.g5P2P1LI012658@cvs.openbsd.org> In-Reply-To: Your message of "Mon, 24 Jun 2002 19:21:50 PDT." <3D17D3BE.8010803@notgod.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Do not let this man drive. > From: Brian Nelson <notgod@notgod.com> > User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.0) Gecko/20020606 > X-Accept-Language: en-us, en > MIME-Version: 1.0 > To: Theo de Raadt <deraadt@cvs.openbsd.org> > CC: Jason Stone <jason-fbsd-security@shalott.net>, > FreeBSD Security > <security@FreeBSD.ORG> > Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability > References: <200206250156.g5P1upLJ029822@cvs.openbsd.org> > Content-Type: text/plain; charset=us-ascii; format=flowed > Content-Transfer-Encoding: 7bit > X-Spam-Level: > > Theo de Raadt wrote: > > > Jason is begging that I release a patch tomorrow. What do you the > > rest of you think? Do you wish to be immunized first or should we > > just post a patch, and have a public exploit a day later? > > Just tossing an idea out (that I am sure a great number of you will not > like)... > > How about working with the OS security officer (and whoever else) to > release a binary SSHD (PGP/GPG signed by the SA's of the OS's), but not > have the patches committed into public view (CVS, etc) until you feel > it's the rigt time to release the specifics... I would think this would > minimize exposure while allowing people to secure their machines... > > Of course, this assumes that you (and other people) trust the SO's not > to use and/or publish the information without your permission... maybe > copywriting the source (like the OpenBSD iso) and then you can manage > the permissions on the source patch... and release the rights on the > patch when the moon aligns with Orion's belt.... > > -Brian > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206250225.g5P2P1LI012658>